Copyright IBM Corporation 2008 Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
5.1
Unit objectives
After completing this unit, you should be able to: Define terminology and concepts of IBM System p servers List common configurations available for IBM System p servers Describe the roles of the system administrator Obtain root access with the su command
Number of Instructions
Processor
Workstation configuration
Single-User Graphical Workstation
Graphics Adapter Personal Computer Display or PowerDisplay 15, 17, 20, or 23 inches
System p
Built-in Adapters Two serial ports SCSI Keyboard Mouse Diskette Ethernet Tablet
Server configurations
Multiuser System System p Server Unit
Async Adapter
ASCII Terminals
Clients
File Transfer PCs
Network
System p
PC connectivity
System p PC
Operating System
Operating System
Operating System
Operating System
PP MM AAAA
PPP MM AAAA
LPAR
LPAR
LPAR
A = Adapter M = Memory P = Processor = Disk
LPAR #2
AIX 6 highlights
Workload partitions Security
Multiple instances of AIX images in single LPAR WPAR mobility (on POWER4, POWER5, or POWER6) WLM infrastructure for resource balance and constraint Enhanced RBAC (roles) Trusted AIX Trusted execution Encrypted filesystems AIX Security Expert enhancements
RAS
Performance
Virtual storage protection key Processor recovery Dynamic page sizes and 32 TB memory support Processor folding for donating dedicated SPURR accounting for variable clock speeds Math APIs for Decimal Floating Point (DFP) Drivers for POWER6 related hardware SAS, SATA, PCI-Express, HEA, and so forth
HMC management
Hardware Management Console (HMC) Partition configuration and control
Dynamic partitioning for LPARs (AIX 5L V5.2 and later)
Capacity Upgrade on Demand (CUoD) Diagnostics Operational management Remote HMC control
IBM
IBM
Network
Alternate HMC
Copyright IBM Corporation 2008
Install and configure hardware Configure the software Configure the network System backup Create/manage user accounts Define and manage subsystems Manage system resources (for example, disk space) Performance monitoring Capacity planning Managing licenses for products Document system configuration and keep it current
Copyright IBM Corporation 2008
$ $
su root or su root
Copyright IBM Corporation 2008
Checkpoint
1. What type of adapter are you likely to require for
communicating from a logical partition?
a. b. c. Asynchronous Graphics Ethernet
Welcome to:
Copyright IBM Corporation 2005 Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
3.3
Unit objectives
After completing this unit, you should be able to: Describe the benefits of the system management tools available with AIX version 6.1 Discuss the functionality of SMIT Explain how SMIT activity is logged
Flat files
/etc/profile /etc/qconfig /etc/filesystems /etc/rc /etc/passwd
System Management
adduser
minidisks
AIX
AIX administration
SMIT
Web-based Systems System Director Manager High-level commands Low-level commands Intermediate-level commands ASCII files
System System Kernel Object Data Resource calls services Manager Controller
Copyright IBM Corporation 2005
pop-ups
dialog panel
output panel
Copyright IBM Corporation 2005
Dialog screen
Schedule a Job Type or select values in entry fields. Press Enter AFTER making all desired changes. YEAR MONTH DAY (1-31) * HOUR (0-23) * MINUTES (0-59) SHELL to use for job execution * COMMAND or SHELL SCRIPT (full pathname) [Entry Fields] [07] [Jun] [22] [] [] Korn (ksh) [] # # # #
F4=List F8=Image
Output screen
Command: OK stdout: yes stderr: no Before command completion, additional instructions may appear below. [TOP] UID root root root root ray root ray root root ray PID 1 1719 2003 2233 3525 3806 4162 5355 6649 7303 PPID 0 1 1 1 1 2003 3525 1 2003 4162 C 4 0 0 0 0 0 6 0 0 8 STIME 20:15:04 20:16:14 20:16:19 17:16:14 20:01:28 19:16:23 20:53:22 20:16:27 20:16:32 20:09:45 TTY 0 0 0 TIME 1:49 0:10 0:00 0:00 0:00 0:00 0:04 0:12 0:00 0:00 CMD /etc/init /etc/syncd 60 /etc/srcmstr /usr/lib/errdemon -ksh /etc/syslogd smit /etc/cron qdaemon ps -ef
[MORE...6] F1=Help F8=Image n=Find Next F2=Refresh F9=Shell F3=Cancel F10=Exit F6=Command /=Find
SMIT
smit.script
List of commands
$HOME/smit.log
Keeps a log of all menu and dialog screens visited, all commands executed and their output. Also records any errors during the SMIT session.
$HOME/smit.script
Shell script containing all AIX commands executed by SMIT.
Checkpoint
1. Specify the SMIT function keys that can be used for the following: a) List the command that will be run: ____ b) List the screen name which can be used for the fastpath: ____ c) Take a screen image: ___ d) Break out into a shell: ___ e) Return to the previous menu: ___ 2. Specify two ways you can request the ASCII character version of SMIT from an X-windows environment command prompt: ________________ ________________
Copyright IBM Corporation 2005
Checkpoint solutions
1. Specify the SMIT function keys that can be used for the following: List the command that will be run: F6 List the screen name which can be used for the fastpath: F8 Take a screen image: F8 Break out into a shell: F9 Return to the previous menu: F3 2. Specify two ways you can request the ASCII character version of SMIT from an X-windows environment command prompt: smitty smit -C
Copyright IBM Corporation 2005
Using SMIT with the ASCII interface Using SMIT with the Motif interface (optional)
Unit summary
Most system administration tasks can be completed using either the ASCII or graphical (Motif) version of SMIT SMIT provides logging of activities and generated commands SMIT has useful fastpaths for bypassing the menu structures
Checkpoint solutions
1. What type of adapter are you likely to require for
communicating from a logical partition?
Asynchronous Graphics Ethernet
system, in an LPAR, may be either physical or virtual. True, with POWER5 the LPAR can have virtual SCSI and Virtual Ethernet adapters. authority even if you signed on using another user ID. But, you must also know the root password.
Unit summary
Common configurations
Single-user graphics workstation Multiuser ASCII Networked system X Window-enabled PC
Pre-installation planning Install hardware, software, network Manage user accounts, system resources, licenses Backup/recovery Define subsystems Performance monitoring, capacity planning
Copyright IBM Corporation 2008 Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
5.1
Unit objectives
After completing this unit, you should be able to:
Describe the system startup process Explain how to shut down the system Describe the contents of the /etc/inittab file Manage the system environment
Startup modes
Normal mode Login prompt All processes running Multi-user mode System Management Services Not AIX Runs from FIRMWARE Sets boot list Maintenance mode Maintenance menu Recover root password Fix machine that won't boot Diagnostics AIX diagnostics AIX Diagnostics
Copyright IBM Corporation 2008
alog program
/etc/inittab
Format of the line: id:runlevel:action:command
init:2:initdefault: brc::sysinit:/sbin/rc.boot 3 >/dev/console 2>&1 # Phase 3 of system boot powerfail::powerfail:/etc/rc.powerfail 2>&1 | alog -tboot > /dev/console ... mkatmpvc:2:once:/usr/sbin/mkatmpvc >/dev/console 2>&1 atmsvcd:2:once:/usr/sbin/atmsvcd >/dev/console 2>&1 load64bit:2:wait:/etc/methods/cfg64 >/dev/console 2>&1 # Enable 64-bit execs tunables:23456789:wait:/usr/sbin/tunrestore -R > /dev/console 2>&1 ... rc:23456789:wait:/etc/rc 2>&1 | alog -tboot > /dev/console # Multi-User checks fbcheck:23456789:wait:/usr/sbin/fbcheck 2>&1 | alog -tboot > /dev/console ... srcmstr:23456789:respawn:/usr/sbin/srcmstr # System Resource Controller rctcpip:23456789:wait:/etc/rc.tcpip > /dev/console 2>&1 # Start TCP/IP daemons rcnfs:23456789:wait:/etc/rc.nfs > /dev/console 2>&1 # Start NFS Daemons cron:23456789:respawn:/usr/sbin/cron piobe:2:wait:/usr/lib/lpd/pio/etc/pioinit >/dev/null 2>&1 # pb cleanup qdaemon:23456789:wait:/usr/bin/startsrc -sqdaemon writesrv:23456789:wait:/usr/bin/startsrc -swritesrv uprintfd:23456789:respawn:/usr/sbin/uprintfd shdaemon:2:off:/usr/sbin/shdaemon >/dev/console 2>&1 # High availability daemon l2:2:wait:/etc/rc.d/rc 2 l3:3:wait:/etc/rc.d/rc 3 l4:4:wait:/etc/rc.d/rc 4 . . .
Start a subsystem:
# startsrc -s lpd 0513-059 The lpd Subsystem has been started. Subsystem PID is 12472.
Refresh a subsystem:
# refresh -s lpd 0513-095 The request for subsystem refresh was completed successfully.
Stop a subsystem:
# stopsrc -s lpd 0513-044 The lpd Subsystem was requested to stop.
Stopping processes
# ps -ef
UID root root root root root root root root PID 1 2626 4136 4964 6734 8022 9036 9345 PPID 0 1 1 4136 1 4136 1 1 C 0 0 0 0 0 0 0 0 STIME May 04 May 04 May 04 May 04 May 04 May 04 May 04 May 04 TTY TIME 0:11 1:17 0:00 0:00 0:02 0:00 0:00 0:02 CMD /etc/init /usr/sbin/syncd 60 /usr/sbin/srcmstr /usr/sbin/inetd /usr/sbin/cron /usr/sbin/qdaemon /usr/sbin/uprintfd /usr/bin/program
System shutdown
The shutdown command:
Gracefully stops all activity on the system and advises all logged on users Warns users of an impending shutdown
# shutdown +2 The system will be down until 3AM Broadcast message from root@localhost (tty) at 1:30:20... The system will be down until 3AM shutdown: PLEASE LOG OFF NOW!!! All processes will be killed in 2 minutes
F1=Help F9=Shell
F2=Refresh F10=Exit
F3=Cancel Enter=Do
F8=Image
F1=Help F9=Shell
F2=Refresh F10=Exit
F3=Cancel Enter=Do
F8=Image
Checkpoint
1. What is the first process that is created on the system
and which file does it reference to initiate all the other processes that have to be started? ____________________________________________ ____________________________________________ of daemons or programs? ____________________________________________ command from the console.
Checkpoint solutions
What is the first process that is created on the system
and which file does it reference to initiate all the other processes that have to be started? The initial process is init, which checks /etc/inittab for information regarding other processes that have to be started. of daemons or programs? The System Resource Controller (SRC)
Unit summary
When the system boots up, it first runs through a number of
hardware checks before starting the processes defined in the /etc/inittab file.
used to identify problems. Alternatively, the boot log file can be accessed to obtain the system messages produced during the boot phase. authorized user from any terminal.
Once the system is up, it can be shut down by an SMIT can be used to change common system settings such
as the language used, and the date and time used by the system.
Copyright IBM Corporation 2008 Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
5.1
Unit objectives
After completing this unit, you should be able to: Define the package definitions and naming conventions Identify how software products and updates are installed and managed on the system
Packaging definitions
LPP: bos
Collection of packages Complete product
package: bos.INed
package: bos.adt
Collection of filesets
fileset: bos.INed
fileset: bos.adt.lib
fileset: bos.adt.prof
Bundles
A bundle is a collection of packages and filesets suited for a particular environment Predefined system bundles in AIX include:
AllDevicesKernels Alt_Disk_Install App-Dev CC_Eval.Graphics CDE GNOME Graphics KDE Kerberos_5 Media-Defined Mozilla PerfTools Server cas_client and cas_server Devices Infocenter openssh_client and openssh_server wsm_remote
Fileset naming
LPP Package Fileset Suffix
bos.terminfo.print.data
Message convention: LPP.msg[.lang].package.fileset
Copyright IBM Corporation 2008
Software updates
# oslevel
6 . 1 .
0 .
Version
Release
Modification
Fix
MIGRATION
Copyright IBM Corporation 2008
smit update_all
Software states
Applied:
Commit or Reject
FILESET 6.1.0.2 (New Version)
6.1.0.0
Install
Committed:
Committed FILESET 6.1.0.2
6.1.0.2
Install
F1=Help F9=Shell
F2=Refresh F10=Exit
F3=Cancel Enter=Do
F8=Image
Install Software
Install Software Type or select values in entry fields. Press Enter AFTER making all desired changes. [Entry Fields] * INPUT device / directory for software /dev/cd0 * SOFTWARE to install [_all_latest] + PREVIEW only? (install operation will NOT occur) no + COMMIT software updates? yes + SAVE replaced files? no + AUTOMATICALLY install requisite software? yes + EXTEND file systems if space needed? yes + OVERWRITE same or newer versions? no + VERIFY install and check file sizes? no + Include corresponding LANGUAGE filesets? yes + DETAILED output? no + Process multiple volumes? yes + ACCEPT new license agreements? no + PREVIEW new LICENSE agreements? no + F1=Help F5=Reset F9=Shell F2=Refresh F6=Command F10=Exit F3=Cancel F7=Edit Enter=Do F4=List F8=Image
Software inventory
# smit list_installed
List Installed Software and Related Information Move cursor to desired item and press Enter. List List List Show Show List List List List Show Installed Software Installed Software by Bundle Applied but Not Committed Software Updates Software Installation History Fix (APAR) Installation Status Fileset Requisites Fileset Dependents Files Included in a Fileset Fileset Containing File Installed License Agreements F2=Refresh F6=Command F10=Exit F3=Cancel F7=Edit Enter=Do F4=List F8=Image
lslpp command: -L Lists the installed software -h Shows the history of a software product
Fix repository
Installed fixes
F1=Help F9=Shell
F2=Refresh F10=Exit
F3=Cancel Enter=Do
F8=Image
Comparison Reports
# smit compare_report
Comparison Reports Move cursor to desired item and press Enter. Compare Installed Software to Fix Repository Compare Installed Software to List of Available Updates Compare Fix Repository to List of Available Updates
F1=Help F9=Shell
F2=Refresh F10=Exit
F3=Cancel Enter=Do
F8=Image
instfix command
Installs a fix:
# instfix -k IY58143 -d /dev/cd0
Lists which AIX BOS maintenance levels are partly or fully installed:
# instfix -i | grep ML All filesets for 6.1.0.0_AIX_ML were found. All filesets for 6100-01_AIX_ML were found.
Lists which filesets are missing in a partly installed AIX BOS maintenance level:
# instfix -ciqk 6100-01_AIX_ML | grep :-:
Copyright IBM Corporation 2008
Checkpoint
1. Which of the following states can your software be in, in order for you to be able to use it? (Select all that apply) a. Applied state b. Removed state c. Install state Commit state 2. What command is used to list all installed software on your system? _______________ 4. Which of the following can you install as an entity? (Select all that apply) a. Fileset b. LPP c. Package d. Bundle What is the difference between the SMIT menus: Install Software and Update Installed Software to Latest Level (Update All)?
_________________________________________________ _________________________________________________
Copyright IBM Corporation 2008
Checkpoint solutions
1. Which of the following states can your software be in, in order for you to be able to use it? (Select all that apply)
Applied state Removed state Install state Commit state
3. Which of the following can you install as an entity? (Select all that apply)
a. b. c. d. Fileset LPP Package Bundle
What is the difference between the SMIT menus: Install Software and Update Installed Software to Latest Level (Update All)?
Install Software by default installs everything from the installation media (except printer and devices) onto the system. Update Installed Software to Latest Level (Update All) installs only updates to filesets already installed on your system.
List and install AIX software Working with AIX fixes (optional)
Unit summary
AIX package naming conventions include the following terms:
LPP Package Fileset Suffix
The easiest way to install software is to use SMIT. The geninstall and installp commands are also available. Use the lslpp command, SMIT or the Web-based System Manager to list all software products installed on the system.
Copyright IBM Corporation 2008
Welcome to:
Copyright IBM Corporation 2005 Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
3.3
Unit objectives
After completing this unit, you should be able to: List the different installation and media options available List the steps necessary to install the AIX version 6.1 base operating system Identify the tasks that can be carried out using the Configuration Assistant
Installation methods
CD-ROM Tape (not available for AIX 6.1 installation) 4 mm 8 mm Preinstallation option (for a new system order) Network Installation Manager (NIM) Token Ring Ethernet FDDI
Power on system
Press <5>
Copyright IBM Corporation 2005
Terminal on serial
0 Install with the settings listed above 88 Help ? 99 Previous Menu >>> Choice [1]:
Warning: Base operating system installation will destroy or impair recovery of SOME data on the destination disk hdisk0
Copyright IBM Corporation 2005
Method of installation
Option 1 of the Installation and Settings menu:
Change Method of Installation
Type the number of your choice and press Enter. 1 New and Complete Overwrite Overwrites EVERYTHING on the disk selected for installation. Warning: Only use this method if the disk is totally empty or there is nothing on the disk you want to preserve. 2 Preservation Install Preserves SOME of the existing data on the disk selected for installation. Warning: This method overwrites the user (/usr), variable (/var), temporary (/tmp), and root (/) file systems. Other product (application) files and configuration data will be destroyed. 3 Migration Install Upgrades the Base Operating System to current release. Other product (application) files and configuration data are saved. 88 Help ? 99 Previous Menu >>> Choice [2]: 1
Installation disks
Change Disks Where You Want to Install
Type one or more numbers for the disk(s) to be used for installation and press Enter. To cancel a choice, type the corresponding number and press Enter. At least one bootable disk must be selected. The current choice is indicated by >>>.
Bootable yes no
55 More Disk Options 66 Disks not known to Base Operating System Installation 77 Display Alternative Disk Attributes 88 Help? 99 Previous Menu
1 Number of patterns to write............ 0 2 Pattern #1.......................................... 00 3 Pattern #2.......................................... ff 4 Pattern #3.......................................... a5 5 Pattern #4.......................................... 5a 6 Pattern #5.......................................... 00 7 Pattern #6.......................................... ff 8 Pattern #7.......................................... a5 9 Pattern #8.......................................... 5a >>> 0 Continue with choices indicated above
88 Help ? 99 Previous Menu
>>> Choice[0]:
Install Options
Option 4 of the Installation and Settings menu:
Install Options
Either type 0 and press Enter to install with current settings, or type the number of the setting you want to change and press Enter. 1. Graphics Software.................................................... Yes 2. System Management Client Software ..... Yes 3. Create JFS2 File Systems Yes 4. Enable System Backups to install any system .. Yes ( Install all devices)
>>> 5. Install More Software 0 Install with the current settings listed above. 88 Help ? 99 Previous Menu >>> Choice [5]: _
>>> 0 Install with the current settings listed above. 88 Help ? 99 Previous Menu >>> Choice [0]: _
Begin installation
Installing Base Operating System Please wait . . . . . . Approximate % tasks completed 16 Elapsed Time (in minutes) 1
Builds AIX directory structure Restores BOS, locale, and filesets from installation media only Installs software for the connected and powered on devices
Checkpoint
1. AIX 5 can be installed from which of the following? (Select all that are correct) a. 8 mm tape b. CD-ROM c. Diskette d. 4 mm tape 2. True or False? A Preservation Install preserves all data on the disks. 3. What is the console used for during the installation process?
_____________________________________________ _____________________________________________
Checkpoint solutions
1. AIX V6.1 can that be installed from which of the following? all are correct) 8 mm tape CD-ROM Diskette 4 mm tape (Select
True or False? A Preservation Install preserves all data on the disks. Preserves SOME of the existing data on the disk selected for installation. Warning: This method overwrites the user (/usr), variable (/var), temporary (/tmp), and root (/) file systems. Other product (application) files and configuration data are destroyed. 4. What is the console used for during the installation process? The console is used to display all the system messages and interact with the installation.
Unit summary
AIX V6.1 is only distributed on CD-ROM. In order to install the base operating system, system specific questions have to be answered before the process can begin. The Configuration Assistant is used by the system administrator to further customize the system.
Unit 7 Devices
Copyright IBM Corporation 2008 Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
5.1
Unit objectives
After completing this unit, you should be able to:
Describe the different states of a device Describe the format of device location codes Use SMIT to add/show/change/delete devices
Device terminology
Physical Devices Ports Device Drivers Logical Devices /dev Directory
Oct 29 02:25 Oct 29 02:25 Oct 29 02:44 Nov 1 05:31 Oct 29 02:44 Nov 1 05:31
rmt0 fd0
Copyright IBM Corporation 2008
rmt1
. . . .
1.2 GB 1/4-Inch Tape Drive 150 MB 1/4-Inch Tape Drive 3490E Autoloading Tape Drive 2.0 GB 4mm Tape Drive
# lsattr -EH -l sys0 description user_settable State of system keylock at boot time False Amount of usable physical memory Kbytes False Continuously maintain DISK I/O history True Amount of usable physical memory in Kbytes False
Device states
Predefined Database Undefined Supported Device rmdev -dl Customized Database Defined mkdev -l or cfgmgr Available Ready for Use Not Usable rmdev -dl rmdev -l
Self-configuring devices
2. Answer: - CD-ROM - 10-80-00-3,0
cfgmgr
ODM:
Device Driver
3. cd0 defined
Kernel /unix
# ls -l /dev/cd0 br--r--r-- root
Device Driver
39
ODM:
cd0 available 10-80-00-3,0
system 39,
/dev/cd0
5. Device available
Copyright IBM Corporation 2008
Device addressing
Location codes are used for device addressing The location code for a device is a path from the adapter in
the CPU drawer or system unit, through the signal cables and the asynchronous distribution box (if there is one) to the device Location codes consist of up to four fields of information depending on the type of device Location codes differ based on model type
AB
00 01 04 XY
Resources attached to the processor Resources attached to the ISA bus Resources attached to the PCI bus (only) Resources attached to the XY PCI bus (For example - 10 or 1P) For pluggable adapters/cards As position 1 and 2 respectively for integrated adapters The connector ID Port identifier, address, memory modules, device, FRU for the device
Copyright IBM Corporation 2008
CD
01-99 A-Z,0
EF GH
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
0 1 2 3 4 5 6 7
8 9 10 11 12 13 14 15
8 9 10 11 12 13 14 15
1P-10-21-10
G,H
Defined Defined U789D.001.DQDWAYT-P1-C4-T1 Defined Defined U7311.D20.107F67B-P1-C04-A8 Defined U7311.D20.107F67B-P1-C04-A9 Defined Defined Defined Defined U7311.D20.107F67B-P1-C04 U7311.D20.107F67B-P1-C04 U7311.D20.107F67B-P1-C04-AF U7311.D20.107F67B-P1-C04
02-08-01-9,0 16 Bit LVD SCSI Disk 02-08-00 PCI X Dual Channel 02-08-01 PCI X Dual Channel 02-08-01-15,0 SCS Enclosure Services 02-08 PCI XDDR Dual Channel
F1=Help F9=Shell
F2=Refresh F10=Exit
F3=Cancel Enter=Do
F8=Image
Attachment
TTY Type Move cursor to desired item and press Enter. tty rs232 Asynchronous Terminal tty rs422 Asynchronous Terminal
Parent Adapter Move cursor to desired item and press Enter. sa0 Available sa1 Available sa2 Available adapter sa3 Available adapter sa4 Available adapter 01-S1 Standard I/O Serial Port 1 01-S2 Standard I/O Serial Port 2 1P-03-11 16-Port RAN EIA-232 for 128-Port 1P-03-12 16-Port RAN EIA-232 for 128-Port 1P-03-13 16-Port RAN EIA-232 for 128 Port
Device nomenclature
For the built-in serial connection, the nomenclature looks like this:
sa0
Built-in adapters on system planar
sa1
Serial ports
s1
s2
sa2
16-Port RAN
sa3
16-Port RAN
Copyright IBM Corporation 2008
sa4
16-Port RAN
Add a TTY
Add a TTY Type or select values in entry fields. Press Enter AFTER making all desired changes. [TOP] TTY type TTY interface Description Parent adapter * PORT number Enable LOGIN BAUD rate PARITY BITS per character Number of STOP BITS TIME before advancing to next port setting TERMINAL type FLOW CONTROL to be used [MORE...31] F1=Help Esc+5=Reset Esc+9=Shell F2=Refresh Esc+6=Command Esc+0=Exit [Entry Fields] tty rs232 Asynchronous Terminal sa0 [] + disable + [] + [none] + [8] + [1] + [0] +# [dumb] [xon] + F4=List Esc+8=Image
lscfg -v
Provides details of all devices including manufacturer, type and model number, and part numbers
getconf -a
Provides the values of all system configuration variables
Checkpoint (1 of 2)
1. Is it possible to use SCSI ID 7 for a new tape drive?
_______________________________________________ _______________________________________________
3. Use the output on the next visual (lsdev -C -H) to answer the
following four questions.
a) What happens if we attempt to add another device with the SCSI address set to 4? _______________________________________________ _______________________________________________ b) Can the 8 mm tape drive be currently used? Why? _______________________________________________ _______________________________________________ Where is the printer connected? __________________ d) The Ethernet adapter is installed in what slot? _______________________________________________ _______________________________________________
Checkpoint (2 of 2)
# lsdev -C H name status sys0 Available pci0 Available isa0 Available ppa0 Available lp0 Available sa0 Available tty0 Available mem0 Available scsi0 Available rmt0 Defined hdisk0 Available ent0 Available location description System Object PCI Bus 10-58 ISA Bus 01-R1 Standard I/O Parallel Port Adapter 01-R1-00-00 IBM 4039 LaserPrinter 01-S1 Standard I/O Serial Port 1 01-S1-00-00 Asynchronous Terminal Memory 10-80 Wide SCSI I/O Controller 10-80-00-3,0 5.0 GB 8 mm Tape Drive 10-80-00-4,0 SCSI Disk Drive 10-60 IBM PCI 10/100 Ethernet Adapter
Checkpoint solutions
1. Is it possible to use SCSI ID 7 for a new tape drive?
No. The SCSI adapter itself uses ID 7. So, it cannot be used for other devices.
3. Use the output on the next visual (lsdev -C -H) to answer the
following four questions.
a) What happens if we attempt to add another device with the SCSI address set to 4? The operation fails as there is already a device (SCSI Disk Drive) configured at this location. c) Can the 8 mm tape drive be currently used? Why? No, because it is in the defined state. You have to first make it available by either using SMIT or the mkdev command. Where is the printer connected? The parallel port The Ethernet adapter is installed in what slot? It is an integrated adapter which does not occupy a slot on the PCI bus.
Exercise 7: Devices
List device configuration List and change system parameters Configure a tape device Configure a CD-ROM device
Unit summary
A physical device is the actual hardware attached to the system. A logical device is the software interface used by programs and users to access a physical device. Device information is stored in the ODM in two databases: customized and predefined Devices can exist in a number of different states: unavailable, defined, available and stopped Location codes are used to describe exactly where a device is connected into the system. Device attributes can be modified through SMIT. To create, modify, or remove device definitions, it is sometimes necessary to use commands such as mkdev, chdev, and rmdev.
Welcome to:
Copyright IBM Corporation 2005 Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
3.3
Unit objectives
After completing this unit, you should be able to: Add, change, and delete: Volume groups Logical volumes Physical volumes Describe mirroring Describe striping
F1=Help F9=Shell
F2=Refresh F10=Exit
F3=Cancel Enter=Do
F8=Image
Volume groups
Volume group
PV
PV
lsvg -p rootvg PV STATE active active TOTAL PPs 159 159 FREE PPs 52 78 FREE DISTRIBUTION 24..00..00..00..28 32..02..00..12..32
hd6 paging hd5 boot hd8 jfslog hd9var jfs2 hd4 jfs2 hd2 jfs2 hd3 jfs2 hd1 jfs2 hd10opt jfs2 hd11adminjfs2 lv00 jfs2 lv01 jfs2
32 1 2 1 1 1 1 1 9 1 101 1 4 1 1 1 5 1 8 1 2 2 4 2
+ + + + +# +
+ + + + +# + + +
F1=Help F9=Shell
F2=Refresh F10=Exit
F3=Cancel Enter=Do
F8=Image
Hot spare
Synchronization
Hot spare
myvg
hdisk4
hdisk5
Type or select values in entry fields. Press Enter AFTER making all desired changes. * VOLUME GROUP name [Entry Fields] [] +
F4=List F8=Image
# varyoffvg datavg
F4=List F8=Image
Logical storage
Physical volumes
1 7 13 19 25 31 35 41 47 2 8 14 20 26 32 36 42 48 3 9 15 21 27 33 37 43 49 4 10 16 22 28 34 38 44 50 1 7 13 19 25 31 35 41 47 2 8 14 20 26 32 36 42 48 3 9 15 21 27 33 37 43 49 4 10 16 22 28 34 38 44 50
Logical Partitions
Mirroring
First copy
hdisk0 PP1 PP2
lv00
LP1 LP2
Second copy
Third copy
Mirroring is when a logical partition maps to more than one physical partition of the same volume group Scheduling policy:
Parallel: Sequential: Physical partitions written simultaneously Physical partitions written in sequence
Copyright IBM Corporation 2005
Copy 1
Copy 2
Copy 3
Striping
Normal flow of data blocks when a logical volume is spread across physical volumes:
1 7
2 8
3 9
4 10
5 11
6 12
13 14 19 20
15 21
16 22
17 23
18 24
25 26 31 32
27 33
28 34
29 35
30 36
7 25
10 28
13 31
16 34
8 26
11 29
14 32
17 35
3 21
6 24
9 27
12 30
15 33
18 36
19 22
20 23
Consecutive stripe units are created on different physical volumes Striping increases read/write sequential throughput by evenly distributing stripe units among disks Stripe unit size is specified at creation time
Copyright IBM Corporation 2005
Striped columns
Striped logical volume: strip width = 3, upper bound = 6
PV2
Strip 1 Strip 2 . . . Strip n
PV3
Strip 1 Strip 2 . . . Strip n
Striped column 2
PV4
Strip n + 1 Strip n + 2 . . .
PV5
Strip n + 1 Strip n + 2 . . .
Copyright IBM Corporation 2005
PV6
Strip n + 1 Strip n + 2 . . .
E M
Inner Edge Inner Middle Center Outer Middle (Middle) Center Edge (Edge) Inter-physical volume allocation policy: Maximum number of physical volumes to use Range of physical volumes to use
Copyright IBM Corporation 2005
F1=Help F9=Shell
F2=Refresh F10=Exit
F3=Cancel Enter=Do
F8=Image
Remove a Logical Volume Type or select values in entry fields. Press Enter AFTER making all desired changes. [TOP] LOGICAL VOLUME name [Entry Fields] [] +
F4=List F8=Image
Set Characteristics of a Logical Volume Move cursor to desired item and press Enter. Change a Logical Volume Rename a Logical Volume Increase the Size of a Logical Volume Add a Copy to a Logical Volume Remove a Copy from a Logical Volume
F1=Help F9=Shell
F2=Refresh F10=Exit
F3=Cancel Enter=Do
F8=Image
F4=List F8=Image
F4=List F8=Image
Physical volumes
PV1
Volume group
1 7 13 19 25 31 35 41 47
PV2
1 7 13 19 25 31 35 41 47
2 8 14 20 26 32 36 42 48
3 9 15 21 27 33 37 43 49
4 10 16 22 28 34 38 44 50
2 8 14 20 26 32 36 42 48
3 9 15 21 27 33 37 43 49
4 10 16 22 28 34 38 44 50
Physical Partitions
F1=Help F9=Shell
F2=Refresh F10=Exit
F3=Cancel Enter=Do
F8=Image
rootvg
yes 6 2 no 256 KB
REGION outer edge outer edge outer middle outer middle center center center center center center center center center center center center center center center center center inner middle inner edge
LV NAME hd5 hd6 hd8 hd4 hd2 hd9var hd3 hd1 hd10opt hd2 hd10opt hd3 hd4 hd11admin hd2 hd9var hd10opt hd2
TYPE boot paging jfslog jfs2 jfs2 jfs2 jfs2 jfs2 jf22 jfs2 jfs2 jfs2 jfs2 jfs2 jfs2 jfs2 jfs2 jfs2
MOUNT POINT N/A N/A N/A / /usr /var /tmp /home /opt /usr /opt /tmp / /admin /usr /var /opt /usr
Checkpoint
1. True or False? A logical volume can span more than one
physical volume. volume group.
2. True or False? A logical volume can span more than one 3. True or False? The contents of a physical volume can be
divided between two volume groups. necessary to perform a backup.
4. True or False? If mirroring logical volumes, it is not 5. True or False? SMIT can be used to easily increase or
decrease the size of a logical volume.
Checkpoint solutions
True or False? A logical volume can span more than one physical volume. True or False? A logical volume can span more than one volume group. True or False? The contents of a physical volume can be divided between two volume groups. True or False? If mirroring logical volumes, it is not necessary to perform a backup. False. You still need to back up to external media. True or False? SMIT can be used to easily increase or decrease the size of a logical volume. False. SMIT can only be used to increase a file system. Decreasing one requires backing up the file system, removing it, re-creating it, and then restoring. True or False? Striping is done at a logical partition level. False. It is done at a stripe unit level.
Unit summary
SMIT or high-level commands can be used to add, change, or delete volume groups, physical volumes and logical volumes. Mirroring is a way to have two or three copies of a logical volume for high availability requirements. Disk striping is used to provide high performance in large, sequentially accessed file systems.
Welcome to:
Copyright IBM Corporation 2005 Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
3.3
Unit objectives
After completing this unit, you should be able to: Identify the components of an AIX file system Add an enhanced journaled file system Change characteristics of a file system Add a RAM file system Add a UDF file system on a DVD-RAM
inodes
Data Blocks
Indirect Blocks
File system size and identification Free list, fragment size, nbpi File size, ownership, permissions, times Pointers to data blocks Data blocks contain data Indirect blocks contain pointers to data blocks
Structure of an inode
Contents of an inode
permissions no. of links type of file user ID group ID file size addresses of blocks time modified time accessed time changed access control information reserved other
4096 bytes
2000 bytes
4096 bytes
Fragmentation enabled File size = 2000 bytes Fragment size = 1024 bytes 2000 bytes 1024 1024 1024 1024
File system
INODES 128 bytes 1 2 4096 4096 4096
Using the value nbpi = 1024 an inode is created for every 1024 bytes of file system.
File system
INODES 128 bytes
1 2 3 4 5 6 7 8
4096
4096
4096
4 X 1024
16 MB agsize
inodes
disk blocks
64 MB 64 MB 64 MB
64 MB agsize
4096
4096
4096
4096
132 MB 132 MB
1 2 3 4 .
. .
1 Block 4 KB
32 Blocks 128 KB
File 132 MB
1023 1024
128 KB
32 Blocks 128 KB
Journal log
1
Write data sync / fsync 1) Inode changes to log 2) COMMIT to log 3) Update inode 4) Sync log
JFSLOG
No journaling of data blocks - only journals inode information (and indirect block information).
JFS2 uses extent based allocation for high performance and large file size. .
Copyright IBM Corporation 2005
NFS V4 ACLs stored in JFS2 with EAv2 User defined information may be in EAv2
$ getea HenryVIII EAName: Author EAValue: Shakespeare
File Systems
# smit fs
File Systems Move cursor to desired item and press Enter List All File Systems List All Mounted File Systems Add/Change/Show/Delete File Systems Mount a File System Mount a Group of File Systems Unmount a File System Unmount a Group of File Systems Verify a File System Backup a File System Restore a File System List Contents of a Backup Create and backup a snapshot
sys4
Add a Journaled File System on a Previously Defined Logical Volume Move cursor to desired item and press Enter. Add a Standard Journaled File System Add a Compressed Journaled File System Add a Large File Enabled Journaled File System
F1=Help Esc+9=Shell
F2=Refresh Esc+0=Exit
F3=Cancel Enter=Do
Esc+8=Image
Add an enhanced journaled file system (JFS2) on a previously defined logical volume
Add an Enhanced Journaled File System Type or select values in entry fields. Press Enter AFTER making all desired changes. [Entry Fields] * LOGICAL VOLUME name + * MOUNT POINT [ ] Mount AUTOMATICALLY at system restart? no + PERMISSIONS read/write + Mount OPTIONS [ ] + Block Size (bytes) 4096 + Logical Volume for Log [ ] + Inline Log size (MBytes) [ ] # Extended Attribute Format Version 1 + Enable Quota Management no + Enable EFS? no + Allow internal snapshots? no + F1=Help F5=Reset F9=Shell F2=Refresh F6=Command F10=Exit F3=Cancel F7=Edit Enter=Do F4=List F8=Image
After:
LP1
# chfs -a size="-16M" /myfs
F4=List F8=Image
hd2 hd4 hd6 hd8 /usr /(root) Page Space log hd5 free /blv hd2 hd3 hd2 hd61 hd9var free /usr /tmp /usr Page Space /var lv00 lv00 hd1 hd1 free /home /home free special DB special DB lv00 lv00 hd1 hd1 free /home /home free special DB special DB
hdisk0 rootvg
File Systems
hdisk1
/(root) File System
hdisk2 uservg
hdisk3
Directories
File Systems
/bin
/dev
/etc
/lib
Copyright IBM Corporation 2005
/usr
/tmp
/var
/home
Checkpoint
1. Does the size of the file system change when the size 3. If a file system is the same size as the logical volume
of the logical volume it is on is increased? _________ on which it sits, does the size of the logical volume increase when the size of the file system that is residing on it increases? ___________ residing on it removed as well? ___________________________________________ ___________________________________________
Checkpoint solutions
Does the size of the file system change when the size of
the logical volume it is on is increased? No
which it sits, does the size of the logical volume increase when the size of the file system that is residing on it increases? Yes residing on it removed as well?
Unit summary
The components of a JFS file system are the
superblock, inodes, data blocks, and indirect blocks. file system are: fragment size, NBPI, allocation group size, compression, and whether it should be large file enabled. improves performance.
JFS2 supports large files, large file systems, and File systems can be added and removed from the
system, and their characteristics can also be changed, all through SMIT.
Copyright IBM Corporation 2008 Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
5.1
Unit objectives
After completing this unit, you should be able to: Monitor file system growth and control growing files Manage file system disk space usage Implement basic file system integrity checks
Space management
File systems expand upon notice, NOT automatically To keep from running into problems:
Monitor file system growth Determine causes Control growing files Manage file system space usage Control user disk usage Defragment file system
Modify the skulker shell script to suit local needs for the
# du /home | sort -r -n 624 392 98 54 52 23 2 1 /home /home/fred /home/tom /home/mary /home/liz /home/suzy /home/guest /home/steve
Fragmentation considerations
Without fragmentation File size = 2000 bytes
2000 bytes
4096 bytes
With fragmentation File size = 2000 bytes Fragment size = 1024 bytes Considerations to be made: Disk space allocation Disk space utilization I/O activity Free space fragmentation Fragment allocation map
Copyright IBM Corporation 2008
4096 bytes
2000 bytes 1024 1024 1024 1024
filesystem
-s
Checks journal log Checks inodes, indirect blocks, data blocks, free lists If no file system name is specified, the fsck command
checks all file systems which have the check=true attribute set in the /etc/filesystems
Orphan files are placed in the lost+found directory Unmount the file system before running fsck
Checkpoint
1. What command can you use to determine if a file
system is full? __________
Checkpoint solutions
1. What command can you use to determine if a file
system is full? df
Part 1 - Determining file system usage Part 2 - Using fragments for disk usage efficiency Part 3 - Using JFS compression Part 4 - Fixing file system problems
Unit summary
system. File systems need to be regularly monitored to ensure that they do not run out of space. carried out whenever file system corruption is suspected.
Copyright IBM Corporation 2008 Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
5.1
Unit objectives
After completing this unit, you should be able to: Define why paging space is required in AIX List and monitor the paging space utilization of the system Perform corrective actions to rectify too little or too much paging space scenarios
RAM Usage
Operating System Database TCP/IP 8 MB FREE
4 KB
4 KB
Paging Space
Copyright IBM Corporation 2008
Paging space
Is a secondary storage area for over-committed memory Holds inactive 4 KB pages on disk Is not a substitute for real memory
Paging Space
Physical Memory
Copyright IBM Corporation 2008
hd6
paging00
paging01
F4=List F8=Image
F4=List F8=Image
Checkpoint
1. What conclusions regarding potential paging space problems can
you reach based on the following listing?
Page Space Physical Volume Size %Used Active Auto Type chksum Volume Group rootvg 64 MB 43% yes rootvg 64 MB 7% yes rootvg 16 MB 89% yes yes yes yes lv lv lv 0 0 0
True or False? The size of paging00 (in the above example) can be dynamically decreased.
Copyright IBM Corporation 2008
Checkpoint solutions
1. What conclusions regarding potential paging space problems can
you reach based on the following listing?
Page Space Physical Volume Size %Used Active Auto Type chksum Volume Group rootvg 64 MB 43% yes rootvg 64 MB 7% yes rootvg 16 MB 89% yes yes yes yes lv lv lv 0 0 0
Obviously, it is difficult to come to any conclusions regarding the state of this system just by looking at a snapshot picture like the one above. However, at first glance, the following potential problems can be noticed: paging00 is underutilized, and it is too large. It needs to be reduced in size. paging01 is over utilized, and the size seems to be too small. It needs to be increased in size. Both user-defined paging spaces are on the same disk. It would be better if one of them were moved onto a disk which is less utilized.
True or False? The size of paging00 (in the above example) can be dynamically decreased.
Unit summary
Welcome to:
Copyright IBM Corporation 2005 Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
3.3
Unit objectives
After completing this unit, you should be able to: Identify issues which have to be considered when deciding which backup policies to implement: Media to be used Frequency of the backup Type of backup List the different backup methods supported through SMIT and on the command line Create a customized installable system image backup Execute other useful commands to manipulate the backed up data on the media
Why backup?
Data is very important: Expensive to re-create Can it be re-created? Disaster recovery: Hardware failure Damage due to installation/repair Accidental deletion Transfer of data between systems Reorganizing file systems Defragmentation to improve performance System image for installation Checkpoint (before and after upgrade) Long term archive
Copyright IBM Corporation 2005
Types of backup
Three types of backup: System
Records image backup of the operating system
Full
Preserves all user data and configuration files
Incremental
Records changes since previous backups Must be used carefully Very quick
rootvg
Copyright IBM Corporation 2005
Backup strategy
Backup all data that changes!
System backup
Full backup
Incremental backup
Incremental backup
Copyright IBM Corporation 2005
Drive
3 1/2-inch (1.44) /dev/fdxl /dev/fdxh /dev/fdx.9 /dev/fdx.18 /dev/fdx.36 720 KB 1.44 MB 720 KB 1.44 MB Copyright IBM Corporation 2005
VXA QIC
Rewind on Close yes no yes no yes no yes no
For DVD:
Need 7210 DVD-RAM drive No additional software needed for UDF format
File Systems
Back Up a File System Restore a File System List Contents of a Backup
Volume Groups
Back Up a Volume Group Remake a Volume Group List Files in a Volume Group Backup Restore Files in a Volume Group Backup
F1=Help F9=Shell
F2=Refresh F10=Exit
F3=Cancel Enter=Do
F8=Image
* Backup DEVICE or FILE Create MAP files? EXCLUDE files? List files as they are backed up? Verify readability if tape device? Generate new /image.data file? EXPAND /tmp if needed? Disable software packing of backup? Backup extended attributes? Number of BLOCKS to write in a single output (Leave blank to use a system default Location of existing mksysb image File system to use for temporary work space (If blank, /tmp will be used.) Backup encrypted files? Back up DMAPI filesystem files? [BOTTOM]
Copyright IBM Corporation 2005
/ / + +
mksysb image
Blocksize = 512 Blocksize = 512 Blocksize = 512 Tape Drive Blocksize
dummy .toc
rootvg data
Dummy TOC
Backup by name
+/ + + + + + + + + # + + + +
Restoring a mksysb (1 of 2)
Boot the system in install/maintenance mode:
Welcome to Base Operating System Installation and Maintenance 1 2 3 4 Start Install Now With Default Settings Change/Show Installation Settings and Install Start Maintenance Mode for System Recovery Configure Network Disks (iSCSI)
>>
Maintenance
1 2 3 4 6 Access A Root Volume Group Copy a System Dump to Removable Media Access Advanced Maintenance Functions Erase Disks . Install from a System Backup
>>
Restoring a mksysb (2 of 2)
Welcome to Base Operating System Installation and Maintenance
Type the number of your choice and press Enter. Choice is indicated by >>. 1 Start Install Now With Default Settings >> 2 Change/Show Installation Settings and Install 3 Start Maintenance Mode for System Recovery 4 Configure Network Disks (iSCSI)
System Backup Installation and Settings Type the number of your choice and press Enter. 1 2 3 0 Disk(s) where you want to install Use Maps Shrink Filesystems Install with the settings listed above hdisk0 No No
Type or select values in entry fields. Press Enter AFTER making all desired changes. [Entry Fields] * Restore DEVICE or FILE [/dev/rmt0] SHRINK the filesystems? no Recreate logical volumes and filesystems only no + PHYSICAL VOLUME names [] (Leave blank to use the PHYSICAL VOLUMES listed in the vgname.data file in the backup image) Use existing MAP files? yes Physical partition SIZE in megabytes [] (Leave blank to have the SIZE determined based on disk size) Number of BLOCKS to read in a single input [] (Leave blank to use a system default) Alternate vg.data file [] (Leave blank to use vg.data stored in backup image) F1=Help F5=Reset F9=Shell F2=Refresh F6=Command F10=Exit F3=Cancel F7=Edit Enter=Do F4=List F8=Image
+/ + + + +# # /
CD or DVD
Copyright IBM Corporation 2005
/ / /
+ + + + / +/ +
/ / / /
[Entry Fields] + + + + +
/ / /
+ + + +
/ / +/ / / + / + +
[Entry Fields] +
[rootvg] yes [] [] [] [] [] no []
+ +
Yes yes
+ +
/ / +/ / / + /
[Entry Fields] [] [] no no no yes [] [] [] [rootvg] yes yes no no Yes yes F4=List F8=Image
+ + + + + + / / / + + + + +
+ +
[] [] no no no yes [] [] []
+ + + + + + / / /
[] [] no no no yes []
+ + + + + + /
+ + + + +
Back up by filename
backup -i [-q] [-v] [-p] [-U] [-Z][-f device]
-q -v -p -U -Z
Media is ready Verbose - display filenames during backup Pack files which are less than 2 GB Specifies to backup any ACLs Backs up the Encrypted File System (EFS)
< listfile
Type or select values in entry fields. Press Enter AFTER making all desired changes. This option will perform a backup by name. * Backup DEVICE [/dev/fd0] * FILE or DIRECTORY to backup [.] Current working DIRECTORY [] Backup LOCAL files only? yes VERBOSE output? no PACK files? no Backup extended attributes? yes Back up EFS Attributes? Yes F1=Help F5=Reset F9=Shell F2=Refresh F6=Command F10=Exit F3=Cancel F7=Edit Enter=Do F4=List F8=Image [Entry Fields] +/ + + + + + /
Sat 1 8 2 9 16 23 30
level 6
level 6
level 6
level 3
11 12 13 14 15 level 6 level 6 level 6 level 6 level 0 18 19 20 21 22 level 6 level 6 level 6 level 6 level 3 25 26 27 28 29 level 6 level 6 level 6 level 6 level 0
* * * *
F4=List F8=Image
restore command (1 of 2)
List files on media (verify the backup): restore -T [-q] [-v] [-f device] # restore -Tvf /dev/rmt0 Restore individual files:
restore -x [-q] [-v] [-f device] [file1 file2 ..] # restore -xvf /dev/rmt0/home/mike/manual/chap1
Restore complete file system: restore -r [-q] [-v] [-f device] Restore backups in order, that is, -0 then -1 and so forth # restore -rqvf /dev/rmt0
Copyright IBM Corporation 2005
restore command (2 of 2)
Restores the file attributes without restoring the file contents:
restore -Pstring [-q] [-v] [-f device] [file1 file2 ...]
string can be: A a o t c Restore all attributes Restore only the permissions of the file Restore only the ownership of the file Restore only the timestamp of the file Restore only the ACL attributes of the file
To restore only the permissions of the file /etc/passwd from the archive:
# restore -Pa -vf /dev/rmt0 ./etc/passwd
Widely available Difficulties can occur with many symbolic links Makes backup copies that are an exact image Can also be used for conversions For example: can convert ASCII to EBCDIC
dd (device to device)
Restore from a cpio image: # cpio -idv </dev/rmt0 List (verify) the contents of a cpio image: # cpio -itv < /dev/rmt0
The dd command
The dd command converts and copies files To copy a file to diskette # dd if=/etc/inittab
of=/dev/rfd0
Rewinds a tape Fast forwards a tape Ejects a tape Rewinds and ejects a tape
restore
-s
Good practices
Verify your backups Check the tape device Keep old backups Offsite secure storage Label tape Test recovery procedures before you have to!
Checkpoint
1. What is the difference between the following two commands?
a) find /home/fred | backup -ivf /dev/rmt0 b) cd /home/fred; find . | backup -ivf /dev/rmt0 ___________________________________________________ ___________________________________________________ ___________________________________________________
On a mksysb tape, if you entered tctl rewind and then tctl -f/dev/rmt0.1 fsf 3, which element on the tape could you look at? __________________________________________ _____________________________________________________ Which command could you use to restore these files? _____________________________________________________ are mounted. _____________________________________ _____________________________________________________
6. True or False? smit mksysb backs up all file systems, provided they
Checkpoint solutions
1. What is the difference between the following two commands?
a) find /home/fred | backup -ivf /dev/rmt0 b) cd /home/fred; find . | backup -ivf /dev/rmt0 (a) backs up the files using the full path names, whereas (b) backs up the file names using the relative path names. So (b)s files can be restored into any directory.
On a mksysb tape, if you entered tctl rewind and then tctl -f/dev/rmt0.1 fsf 3, which element on the tape could you look at? You would be at the start of the backed up images of the files, having skipped over the boot portion of the tape. Which command could you use to restore these files? The files were backed up using the backup command so you would have to use the restore command. are mounted. mksysb only backs up rootvg file systems. To back up other volume groups, you must use the savevg command.
6. True or False? smit mksysb backs up all file systems, provided they
Unit summary
In order to perform successful backups, consideration must be given to the frequency of the backup, the media to be used and the type of backup. Backups can be initiated on a single file, a file system or an entire volume group, all of which are supported through SMIT. By modifying the bosinst.data and the image.data files, a customized system image backup can be created. There are many other UNIX backup commands which can be used, however their limitations must be fully understood. The commands include: tar, cpio and dd. Other useful commands also exist to manipulate the data on the backup media such as tctl.
Copyright IBM Corporation 2008 Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
5.1
Unit objectives
After completing this unit, you should be able to: Define the concepts of users and groups, and explain how and when these should be allocated on the system Describe ways of controlling root access on the system Explain the uses of SUID, SGID, and SVTX permission bits Administer user accounts and groups Identify the data files associated with users and security
User accounts
Each user has a unique name, numeric ID, and password File ownership is determined by a numeric user ID The owner is usually the user who created the file, but
ownership can be transferred by root
Default users:
root Superuser adm, sys, bin, ... IDs that own system files but cannot be used for login
Groups
A group is a set of users, all of whom need access to a given
set of files.
The user has access to a file if any group in the users The user's real group ID is used for file ownership on Default groups:
groupset provides access. To list the groupset, use the groups command. creation. To change the real group ID, use the newgrp command.
System administrators: system Ordinary users: staff
Group hierarchy
system adm printq audit shutdown staff
Ordinary user
security
Rights to administrative functions
User hierarchy
To protect important users and groups from members of the
security group, AIX has admin users and admin groups admin group
Only root can add, remove, or change an admin user or Any user on the system can be defined as an admin user
regardless of the group they are in
root
Assign different root passwords to different machines System administrators should always login as themselves first
and then su to root instead of logging in as root. This helps provide an audit trail for root usage
Security logs
/var/adm/sulog Audit trail of su activity
/var/adm/wtmp
/etc/utmp
/etc/security/failedlogin
File/Directory permissions
File
Read content of file Modify content of file Use file name to execute as a command Run program with effective UID of owner Run program with effective GID of group --------
Perm. Bit
r w x SUID SGID
Directory
List content of directory Create and remove files in directory Give access to directory -------Files created in directory inherit the same group as the directory Must be owner of files to delete files from directory
SVTX
Reading permissions
r owner x w s S S r group w x s r other x w t T
SUID +x
SGID only
SGID +x
Changing permissions
4 SUID owner r w x 4 2 1 2 SGID group r w x 4 2 1 1 SVTX other r w x 4 2 1
umask
The umask governs permissions on new files and directories System default umask is 022 A umask of 027 is recommended If the umask value is set to 022, then any ordinary files or
directories created inherit the following permissions:
Ordinary file: Directory: rw-r--r-rwxr-xr-x
Changing ownership
The chown command: # chown fred file1 The chgrp command: # chgrp staff file1 Changing both user and group ownership: # chown fred:staff file1 # chown fred.staff file1
Login sequence
getty login User enters login name User enters password Invalid Verify user name and password Valid Log entry in:
/etc/security/failedlogin
/etc/passwd /etc/security/passwd
/etc/environment
/etc/profile
$HOME/.profile
$HOME/.kshrc
SMIT users
# smit users
Users Move cursor to desired item and press Enter. Add a User Change a User's Password Change / Show Characteristics of a User Lock / Unlock a User's Account Reset User's Failed Login Count Remove a User List All Users F1=Help F9=Shell F2=Refresh F10=Exit F3=Cancel Enter=Do F8=Image
Example:
# lsuser a id home ALL root id=0 home=/ daemon id=1 home=/etc bin id=2 home=/bin ... john id=200 home=/home/john ...
Passwords
A new user ID cannot be used until a password is assigned There are two commands available for making password changes: # passwd [username] # pwdadm username SMIT invokes the passwd command An ordinary user can use the passwd command to change own password Only root or member of security group can change password of another user
Copyright IBM Corporation 2008
Follow the options to activate the root volume group and Once a shell is available, execute the passwd command to
change root's password # sync ; sync
SMIT groups
# smit groups
Groups Move cursor to desired item and press Enter. List All Groups Add a Group Change / Show Characteristics of a Group Remove a Group
F1=Help F9=Shell
F2=Refresh F10=Exit
F3=Cancel Enter=Do
F8=Image
Example:
# lsgroup ALL system id=0 admin=true users=root,test2 registry=compat staff id=1 admin=false users=ipsec,team01,team02,team03, team04,team05,test1,daemon registry=compat bin id=2 admin=true users=root,bin registry=compat sys id=3 admin=true users=root,bin,sys registry=compat adm id=4 admin=true users=bin,adm registry=compat uucp id=5 admin=true users=uucp,nuucp registry=compat ... ipsec id=200 admin=false users= registry=compat
Add a Group
# smit mkgroup
Add a Group Type or select values in entry fields. Press Enter AFTER making all desired changes. [Entry Fields] * Group NAME ADMINISTRATIVE group? Group ID USER list ADMINISTRATOR list Projects Initial Keystore Mode Keystore Encryption Algorithm Keystore Access F1=Help F5=Reset F9=Shell F2=Refresh F6=Command F10=Exit [support] false [300] [fred,barney] [fred] [ ] [ ] [ ] [ ] F3=Cancel F7=Edit Enter=Do + # + + + + + +
F4=List F8=Image
# + + + + + + +
directory, then the contents of the /etc/motd file are not displayed to that user
Security files
Files used to contain user attributes and control access:
/etc/passwd /etc/group /etc/security /etc/security/passwd /etc/security/user /etc/security/group /etc/security/limits /etc/security/environ /etc/security/login.cfg Valid users (not passwords) Valid groups Directory not accessible to normal users User passwords User attributes, password restrictions Group attributes User limits User environment settings Login settings
/etc/passwd file
# cat /etc/passwd
root:!:0:0::/:/usr/bin/ksh daemon:!:1:1::/etc: bin:!:2:2::/bin: sys:!:3:3::/usr/sys: adm:!:4:4::/var/adm: uucp:!:5:5::/usr/lib/uucp: guest:!:100:100::/home/guest: nobody:!:4294967294:4294967294::/: lpd:!:9:4294967294::/: lp:*:11:11::/var/spool/lp:/bin/false invscout:*:6:12::/var/adm/invscout:/usr/bin/ksh snapp:*:200:13:snapp login user:/usr/sbin/snapp:/usr/sbin/snappd nuucp:*:7:5:uucp login user:/var/spool/uucppublic:/usr/sbin/uucp/uucico ipsec:*:201:1::/etc/ipsec:/usr/bin/ksh esaadmin:*:811:0::/home/esaadmin:/usr/bin/ksh john:!:200:0:x7560 5th floor:/home/john:/usr/bin/ksh bill:*:201:1::/home/bill:/usr/bin/ksh
/etc/security/passwd file
# cat /etc/security/passwd
root: password = 92t.mzJBjlfbY lastupdate = 885485990 flags = daemon: password = * bin: password = * ... john: password = q/gD6q.ss21x. lastupdate = 884801337 flags = ADMCHG,ADMIN,NOCHECK
Copyright IBM Corporation 2008
/etc/security/user file (1 of 2)
# cat /etc/security/user
default: admin = false login = true su = true daemon = true rlogin = true sugroups = ALL admgroups = ttys = ALL auth1 = SYSTEM auth2 = NONE tpath = nosak umask = 022 expires = 0 ...
Copyright IBM Corporation 2008
/etc/security/user file (2 of 2)
default ... SYSTEM = "compat" logintimes = pwdwarntime = 0 account_locked = false loginretries = 0 histexpire = 0 histsize = 0 minage = 0 maxage = 0 maxexpired = -1 minalpha = 0 minother = 0 minlen = 0 mindiff = 0 maxrepeats = 8 dictionlist = pwdchecks =
Group files
# more /etc/group
system:!:0:root,john staff:!:john bin:!:2:root,bin sys:!:3:root,bin,sys ... usr:!:100:guest accounts:!:200:john ...
# more /etc/security/group
system: staff: accounts: admin=false adms=john projects=system
Copyright IBM Corporation 2008
admin=true admin=false
/etc/security/login.cfg file
default: herald =Authorized use only.\n\rlogin:" logintimes = logindisable = 0 logininterval = 0 loginreenable = 0 logindelay = 0 pwdprompt = "Password: " usernameecho = false
Organize groups around the type of work that is to be done Organize ownership of data to fit with the group structure Set SVTX on shared directories Remember that UNIX/AIX has no concept of application
ownership
Security Policy and Setup
Checkpoint (1 of 2)
What are the benefits of using the su command to switch user to root over logging in as root?
_____________________________________________________ _____________________________________________________
_____________________________________________________ _____________________________________________________
As a member of the security group, which password command would you use? Which password change command does SMIT use? the user's files and directories are also deleted.
Copyright IBM Corporation 2008
__________________________________________________ __________________________________________________
13.True or False? When you delete a user from the system, all
Checkpoint solutions (1 of 2)
What are the benefits of using the su command to switch user to root over logging in as root? A log (which can be monitored) of all users executing the su command is kept in the sulog.
Why is a umask of 027 recommended? This value removes all permission bits for the others category, which enhances security. As a member of the security group, which password command would you use? pwdadm (This command does not prompt for the root password or the old password of the user whose password is being changed.) Which password change command does SMIT use? passwd True or False? When you delete a user from the system, all the user's files and directories are also deleted.
Copyright IBM Corporation 2008
Checkpoint (2 of 2)
1.If an ordinary user forgets their password, can the system
administrator find out by querying the system as to what the user's password was set to? _______ Why? ___________________ _________________________________________________
/etc/passwd /etc/security/passwd /etc/security/restrictions /etc/security/user
A user can only belong to one group A member of the security group can administer user accounts An admin user is a user whose account cannot be administered by any member of the security group (except root) The chmod g+s command sets the SUID permission of a file The root user, commonly known as the superuser has UID=0 and GID=0
Copyright IBM Corporation 2008
Checkpoint solutions (2 of 2)
If an ordinary user forgets their password, can the system administrator find
out by querying the system as to what the user's password was set to? No, because the passwords are held in encrypted format, so even the system administrator cannot tell what the password was set to.
/etc/passwd /etc/security/passwd /etc/security/restrictions /etc/security/user
A user can only belong to one group A member of the security group can administer user accounts An admin user is a user whose account cannot be administered by any member of the security group (except root) The chmod g+s command sets the SUID permission of a file The root user, commonly known as the superuser has UID=0 and GID=0
Part 6 - Examine the security set up Part 7 - Customizing the login herald
Unit summary
User and groups can be added and deleted from the system
by using SMIT or by using high level commands. or passwd. by root.
Passwords must be set for all users using either pwdadm Administrative users and groups can only be administered Every user must be in at least one group. Certain groups give users additional privileges. Security files are located in ASCII text files in the /etc and
/etc/security directories.
Unit 15 Scheduling
Copyright IBM Corporation 2008 Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
5.1
Unit objectives
After completing this unit, you should be able to: Use crontab files to schedule jobs on a periodic basis Use the at command to schedule a job or series of jobs at some time in the future Use the batch command to schedule jobs in a queue to alleviate immediate system demand
1 2:3 5
Copyright IBM Corporation 2008
crontab files
Used to start regularly occurring jobs Schedule is defined in:
/var/spool/cron/crontabs/$USER
Format of entries:
minute hour date-of-month month day-of-week command
Copyright IBM Corporation 2008
A safer method:
# crontab -l > /tmp/crontmp # vi /tmp/crontmp # crontab /tmp/crontmp
Controlling at jobs
To list at jobs:
at -l [user] atq [user] # at l root.1118077769.a root.1118078393.a test2.1118079063.a Mon Jun Mon Jun Mon Jun 6 10:09:29 2007 6 10:19:53 2007 6 10:31:03 2007
To cancel an at job:
at -r job atrm [job | user] # at -r test2.1118079063.a at file: test2.1118079063.a deleted
Documenting scheduling
Have a copy of each user's crontab file Have a copy of the /etc/inittab file
Scheduling Records
Checkpoint
True or False? The at.allow and at.deny files must be
used to specify which users are allowed and denied use of the at command. run every Thursday at 10 past and 30 minutes past every hour. _____________________________________________ 10 minutes from now? _____________________________________________ _____________________________________________ _____________________________________________ _____________________________________________
Checkpoint solutions
1. True or False? The at.allow and at.deny files must be
False. Only one or the other of these files should be used.
used to specify which users are allowed and denied use of the at command.
run every Thursday at 10 past and 30 minutes past every hour. 10,30 * * * 4 <job> run 10 minutes from now?
# at now + 10 minutes myscript ^d #
Unit summary
The crontab files are used to schedule recurring jobs. The at command is used to schedule a command for one
time only execution.
Copyright IBM Corporation 2008 Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
5.1
Unit objectives
After completing this unit, you should be able to: Define the basic TCP/IP terminology Configure TCP/IP for an Ethernet or Token-Ring connection Use some of the standard TCP/IP facilities to:
Log in to another system Transfer files Run commands
What is TCP/IP?
Transmission Control Protocol/Internet Protocol Software to enable different systems to exchange data over a
variety of types of network
An Internet
A TCP/IP network is often called an Internet.
A Token Ring B D E gateway X.25 F gateway FDDI gateway Serial gateway
modem modem C
Individual machines are called hosts Hosts may vary in size and functionality but have equal standing as far as
Ethernet
TCP/IP is concerned Hosts which link two or more physical network segments to each other are called gateways
Copyright IBM Corporation 2008
If you know the address, but not the name, you can use
some TCP/IP facilities with the address
Copyright IBM Corporation 2008
Clients
Network Management Mail File Transfer PC
Network
System p
Other Systems
System p
Standard TCP/IP facilities include: mail, file transfer, remote login, remote execution, and
remote printing A number of AIX applications use TCP/IP:
Network File System (NFS) Network Information Services (NIS) Domain Name Service (DNS) Dynamic Host Configuration Protocol (DHCP) Network Computing System (NCS) Distributed Computing Environment (DCE) X Windows and AIXWindows Tivoli Netview for AIX
Name:
Each machine has a unique hostname Each machine must have access to a table of name to address translations, which can be either:
Routes:
In order to communicate with systems in other networks, you may need to find the address of the default gateway
Configuring TCP/IP
# smit mktcpip
Minimum Configuration & Startup To Delete existing configuration data, please use Further Configuration menus Type or select values in entry fields. Press Enter AFTER making all desired changes. * HOSTNAME * Internet ADDRESS (dotted decimal) Network MASK (dotted decimal) * Network INTERFACE NAMESERVER Internet ADDRESS (dotted decimal) DOMAIN Name Default Gateway Address (dotted decimal or symbolic name) Cost Do Active Dead Gateway Detection? Your CABLE Type START TCP/IP daemons Now F1=Help Esc+5=Reset Esc+9=Shell F2=Refresh Esc+6=Command Esc+0=Exit F3=Cancel Esc+7=Edit Enter=Do
[Entry Fields] [sys1] [10.0.0.1] [255.255.255.0] en0 [] [] [10.0.0.192] [0] no N/A no F4=List Esc+8=Image #
+ + +
Checkpoint
1. What are the following commands used for?
______________________________________ ftp rexec ______________________________________ telnet ______________________________________
What is the difference (if any) between a host and a gateway? ______________________________________________ ______________________________________________ ______________________________________________ unique hostname and TCP/IP address.
Checkpoint solutions
1. What are the following commands used for?
ftp transfers files from one machine to another rexec executes a command on a remote system telnet logins to another system
What is the difference (if any) between a host and a gateway? A host is an individual machine connected to a network, whereas a gateway is a special kind of host which links two or more physical networks together. True or false? Each machine in a TCP/IP network must have a unique hostname and TCP/IP address. Which file holds the name and the TCP/IP address of each host in a flat network? /etc/hosts
Unit summary
TCP/IP is a networking architecture which defines a set of
rules. These rules describe how computers can communicate with one another over a network.
TCP/IP, such as telnet to login to another system, ftp to transfer files and rexec to execute a command on a remote system. hosts.
Welcome to:
Copyright IBM Corporation 2005 Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
3.3
Unit Objectives
After completing this unit, you should be able to: Describe the structure of the ODM Use the ODM command line interface Explain the role of the ODM in device configuration Describe the function of the most important ODM files
ODM
SMIT Menus
TCP/IP Configuration
NIM
ODM Components
uniquetype
tape/scsi/scsd
attribute
block_size
deflt
none
values
0-2147483648,1
disk/scsi/osdisk
pvid
none
tty/rs232/tty
login
disable
Customized Databases
CuDep CuDv CuAt
CuDvDr
CuVPD
Configuration Manager
Predefined
PdDv PdAt PdCn "Plug and Play"
Config_Rules
cfgmgr
Customized
CuDv CuAt CuDep CuDvDr CuVPD
Copyright IBM Corporation 2005
Methods
Define
Device Driver
Load
Configure Change
/etc/objrepos
/usr/lib/objrepos
/usr/share/lib/objrepos
? ? ?
Copyright IBM Corporation 2005
User/Security information
Undefined
Defined
Available
2.
3.
AIX Kernel Applications
D____ D____ 4.
/____/_____ 5.
ODM Commands
Object class: odmcreate, odmdrop Descriptors: odmshow uniquetype
tape/scsi/scsd
attribute
block_size
deflt
none
values
0-2147483648,1
disk/scsi/osdisk
pvid
none
tty/rs232/tty
login
disable
PdAt: uniquetype = "tape/scsi/scsd" attribute = "block_size" deflt = 512" values = "0-2147483648,1" width = "" type = "R" generic = "DU" rep = "nr" nls_index = 6
PdAt: uniquetype = "tape/scsi/scsd" attribute = "block_size" deflt = 512" values = "0-2147483648,1" width = "" type = "R" generic = "DU" rep = "nr" nls_index = 6
CuDep: name = "rootvg dependency = "hd6" CuDep: name = "datavg dependency = "lv01"
CuVPD: name = "hdisk2" vpd_type = 0 vpd = "*MFIBM *TM\n\ HUS151473VL3800 *F03N5280 *RL53343341*SN009DAFDF*ECH17 923D *P26K5531 *Z0\n\ 000004029F00013A*ZVMPSS43A *Z20068*Z307220"
Copyright IBM Corporation 2005
Checkpoint
1. In which ODM class do you find the physical volume IDs of your disks?
__________________________________________________
Checkpoint Solutions
1. In which ODM class do you find the physical volume IDs of your disks?
CuAt
Unit Summary
The ODM is made from object classes, which are broken into individual objects and descriptors AIX offers a command line interface to work with the ODM files The device information is held in the customized and the predefined databases (Cu*, Pd*)
Copyright IBM Corporation 2007 Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
5.1
Unit Objectives
After completing this unit, you should be able to:
Describe the contents of the boot logical volume Interpret LED codes displayed during boot and at system
halt
RAM
Boo ts codetrap
AIX Kernel
RAMFS
Reduced ODM
Requesting customized service bootlist (key 6 or F6) HMC advanced boot options support both of the above options
Copyright IBM Corporation 2007
or
F5
Maintenance 1 Access a Root Volume Group # bosboot # shutdown -ad -Fr /dev/hdisk0
or HMC boot option Diagnostic with default bootlist or (F1 or #1 to set SMS options)
Service Mode:
# bootlist -m service -o cd0 hdisk0 blv=hd5 ent0
# diag
TASK SELECTION LIST Display Service Hints Display Software Product Data Display or Change Bootlist Gather System Information
Copyright IBM Corporation 2007
...
1. Diskette Working with Bootlists in SMS (1 of 2) 2. Tape System Management Services Main Menu 3. CD/DVD 3. 4. 5. 6. 7. Select Language Setup IDE Remote IPL 4. (Initial Program Load) Change SCSI Settings Select Console 5. Hard Drive Select Boot Options Network None List All Devices Multiboot 1. Select Install/Boot Device 2. Configure Boot Device Order 3. Multiboot Startup <OFF> Configure Boot Device Order ===> 2 1. 2. 3. 7. 8. ===> 8 4. 5. 6. 7. Select 1st Boot Device Select 2nd Boot Device Select 3rd Boot Device Select 4th Boot Device Select 5th Boot Device Display Current Setting Restore Default Setting
6. ===> 5
===> 1
4. ===> 2
None
HMC
Internet
Modem S2
Service Processor
Modem
553, ...
Let's Review
True or False? You must have AIX loaded on your system to use the System Management Services programs. Your AIX system is currently powered off. AIX is installed on hdisk1 but the bootlist is set to boot from hdisk0. How can you fix the problem and make the machine boot from hdisk1? __________________________________________________ __________________________________________________
What is the command that will display the bootlist? ______________________________ How could you change the bootlist? ______________________________
4. What command is used to build a new boot image and write it to the boot logical volume? _____________________________________ 5. What script controls the boot sequence? _________________
Copyright IBM Corporation 2007
2.
3.
What command is used to build a new boot image and write it to the boot logical volume? bosboot -ad /dev/hdiskx What script controls the boot sequence? rc.boot
Copyright IBM Corporation 2007
or
2 Copy a System Dump to Removable Media 4 Configure Network Disks (iSCSI) 3 Access Advanced Maintenance Functions 4 Erase Disks >>> 5 Configure Network Disks (iSCSI) Choice [1]: 3 6 Install from a System Backup Choice [1]: 1
Maintenance
Volume Group ID 00c35ba000004c00000001153ce1c4b0 includes the following logical volumes: hd5 hd6 hd8 hd4 hd2 hd9var hd3 hd1 hd10opt Type the number of your choice and press Enter. 1) Access this Volume Group and start a shell 2) Access this Volume Group and start a shell before mounting filesystems 99) Previous Menu Choice [99]: 1
Copyright IBM Corporation 2007
http://publib.boulder.ibm.com/infocenter/systems
Search for: service support troubleshooting Customer Service, Support, and Troubleshooting manual Covers procedures and lists of reference codes For AIX progress codes, search for AIX Progress Codes For AIX message codes, click on Message Center
RS/6000 Eserver pSeries Diagnostic Information for Multiple Bus Systems (SA38-0509)
Copyright IBM Corporation 2007
20EE000B
Monitor
LED/LCD display
F22
Software
Hardware or Software
0 4
LOCATION CODE
# OF FRU SEQUENCE (1st defect part) SRN IDENTIFYING THE FRU (104-101) TYPE OF READ-OUT (103) 00=0 01=1 02=2 03=3 04=4 05=5 06=6 07=7 08=8 09=9 11=A 12=B 13=C 14=D 15=E 16=F 17=G 18=H 19=I 20=J 21=K 22=L 23=M 24=N 25=O 26=P 27=Q 28=R 29=S 30=T 31=U 32=V 33=W 34=X 35=Y 36=Z
Firmware Fixes
The following types of firmware (Licensed Internal Code) fixes are available:
Server firmware Power subsystem firmware I/O adapter and device firmware
Systems with an HMC should normally use the HMC Firmware maintenance through the operating system is always disruptive
Copyright IBM Corporation 2007
lpar2 lpar3
Remote Workstation
Checkpoint
True or False? During the AIX boot process, the AIX kernel is loaded from the root file system. True or False? A service processor allows actions to occur even when the regular processors are down.
5. How do you boot an AIX machine in maintenance mode? ________________________________________________ ________________________________________________ 6. Your machine keeps rebooting and repeating the POST. What can be the reason for this? _________________________________________________ _________________________________________________
Checkpoint Solutions
True or False ? During the AIX boot process, the AIX kernel is loaded from the root file system. False. The AIX kernel is loaded from hd5. True or False? A service processor allows actions to occur even when the regular processors are down. How do you boot an AIX machine in maintenance mode? You need to boot from an AIX CD, mksysb, or NIM server. 6. Your machine keeps rebooting and repeating the POST. What can be the reason for this? Invalid boot list, corrupted boot logical volume, or hardware failures of boot device.
Copyright IBM Corporation 2007
Unit Summary
During the boot process, the kernel from the boot image is loaded into memory. Boot devices and sequences can be updated using the bootlist command, the diag command, and SMS. The boot logical volume contains an AIX kernel, an ODM, and a RAM file system (that contains the boot script rc.boot that controls the AIX boot process). The boot logical volume can be re-created using the bosboot command. LED codes produced during the boot process can be used to diagnose boot problems.
Welcome to:
Copyright IBM Corporation 2005 Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
3.3
Unit Objectives
After completing this unit, you should be able to: Identify the steps in system initialization from loading the boot image to boot completion Identify how devices are configured during the boot process Analyze and solve boot problems
/
Restore RAM file system from boot image etc dev mnt usr
rc.boot 1
rc.boot 2
rc.boot 3
/etc/inittab
Copyright IBM Corporation 2005
rc.boot 1
Failure LED Process 1 init F05
c06 rc.boot 1 Boot image ODM 510 restbase RAM file system ODM
548
cfgmgr -f
bootinfo -b 511
rc.boot 2 (Part 1)
Failure LED 551 552 556 555 557 554 517 rc.boot 2
rootvg
ipl_varyon
fsck -f /dev/hd4 mount /dev/hd4 / fsck -f /dev/hd2 mount /usr fsck -f /dev/hd9var mount /var copycore umount /var
hd4: /
hd2: /usr
hd9var: /var
hd6
copycore: if dump, copy
518
dev
etc
mnt
usr
var
518
swapon /dev/hd6
Copyright IBM Corporation 2005
rc.boot 2 (Part 2)
swapon /dev/hd6
Copy RAM /dev files to disk: mergedev Copy RAM ODM files to disk: cp /../etc/objrepos/Cu* /etc/objrepos
mount /var
dev
etc ODM
dev
etc
mnt
usr
var
rc.boot 3 (Part 1)
Process 1 init
Here we work with rootvg!
517
553
phase=2 phase=3
savebase
Copyright IBM Corporation 2005
rc.boot 3 (Part 2)
savebase /etc/objrepos: ODM
syncd 60 errdemon
Turn off LEDs hd5: ODM
rm /etc/nologin
s Ye
A device that was previously detected could not be found. Run "diag -a". System initialization completed.
rc.boot Summary
Where From Action Phase Config_Rules
rc.boot 1
/dev/ram0
restbase cfgmgr -f ipl_varyon rootvg Merge /dev Copy ODM cfgmgr -p2 cfgmgr -p3 savebase
rc.boot 2
/dev/ram0
rc.boot 3
rootvg
2-normal 3-service
rc.boot 1
restbase
(4)
ODM files in RAM file system
cfgmgr -f
bootinfo -b
rc.boot 2
(1) (6)
(2)
(7)
(3)
(4)
557
(8)
(5)
(6)
Mount /dev/hd4 on / in RAMFS Mount /var Copy dump Unmount /var Turn on paging
(2)
(7)
(3)
557
(4)
mount
/dev/hd4
(8)
_________
/sbin/rc.boot 3
s_______ ________&
rm _________
_________=3 ______ ? Execute next line in _____________
Copyright IBM Corporation 2005
________ -p2 ________ -p3 Start Console: _____ Start CDE: _______
Missing devices ?
Configuration Manager
Predefined
unload
cfgmgr -f
/etc/inittab File
init:2:initdefault: brc::sysinit:/sbin/rc.boot 3 >/dev/console 2>&1 # Phase 3 of system boot powerfail::powerfail:/etc/rc.powerfail 2>&1 | alog -tboot > /dev/console # mkatmpvc:2:once:/usr/sbin/mkatmpvc >/dev/console 2>&1 atmsvcd:2:once:/usr/sbin/atmsvcd >/dev/console 2>&1 tunables:23456789:wait:/usr/sbin/tunrestore -R > /dev/console 2>&1 # Set tunab securityboot:2:bootwait:/etc/rc.security.boot > /dev/console 2>&1 rc:23456789:wait:/etc/rc 2>&1 | alog -tboot > /dev/console # Multi-User checks rcemgr:23456789:once:/usr/sbin/emgr -B > /dev/null 2>&1 fbcheck:23456789:wait:/usr/sbin/fbcheck 2>&1 | alog -tboot > /dev/console # ru srcmstr:23456789:respawn:/usr/sbin/srcmstr # System Resource Controller rctcpip:23456789:wait:/etc/rc.tcpip > /dev/console 2>&1 # Start TCP/IP daemons mkcifs_fs:2:wait:/etc/mkcifs_fs > /dev/console 2>&1 sniinst:2:wait:/var/adm/sni/sniprei > /dev/console 2>&1 rcnfs:23456789:wait:/etc/rc.nfs > /dev/console 2>&1 # Start NFS Daemons cron:23456789:respawn:/usr/sbin/cron piobe:2:wait:/usr/lib/lpd/pioinit_cp >/dev/null 2>&1 # pb cleanup cons:0123456789:respawn:/usr/sbin/getty /dev/console qdaemon:23456789:wait:/usr/bin/startsrc -sqdaemon writesrv:23456789:wait:/usr/bin/startsrc -swritesrv uprintfd:23456789:respawn:/usr/sbin/uprintfd shdaemon:2:off:/usr/sbin/shdaemon >/dev/console 2>&1 # High availability
Do not use an editor to change /etc/inittab. Use mkitab, chitab, rmitab instead !
Copyright IBM Corporation 2005
Configuring shdaemon
# shconf -E -l prio sh_pp disable pp_errlog pp_eto pp_eprio pp_warning pp_wto pp_wprio pp_wterm pp_login pp_lto pp_lprio pp_lterm pp_cmd pp_cto pp_cprio pp_cpath pp_reboot pp_rto pp_rprio disable 2 60 enable 2 60 /dev/console enable 2 100 /dev/console Enable Process Priority Problem Log Error in the Error Logging Detection Time-out Process Priority Display a warning message on a console Detection Time-out Process Priority Terminal Device Launch a recovering login on a console Detection Time-out Process Priority Terminal Device
disable Launch a command 2 Detection Time-out 60 Process Priority /home/unhang Script disable 5 39 Automatically REBOOT system Detection Time-out Process Priority
Copyright IBM Corporation 2005
LED
LED codes cycle 553 20EE000B 551, 552, 554, 555, 556, 557
User Action
Power on, press F1, select Multi-Boot, select the correct boot device. Access the rootvg. Check /etc/inittab (empty, missing or corrupt?). Check /etc/environment. Access the rootvg. Re-create the BLV: # bosboot -ad /dev/hdiskx Access rootvg before mounting the rootvg file systems. Re-create the JFS/JFS2 log: # logform -V jfs /dev/hd8 or # logform -V jfs2 /dev/hd8 Run fsck afterwards. Run fsck against all rootvg file systems. If fsck indicates errors (not an AIX file system), repair the superblock as described in the notes. Access rootvg and unlock the rootvg: # chvg -u rootvg ODM files are missing or inaccessible. Restore the missing files from a system backup. Check /etc/filesystem. Check network (remote mount), file systems (fsck) and hardware.
Copyright IBM Corporation 2005
Superblock corrupt?
Determine initial run-level Startup last boot phase Multiuser initialization Execute /etc/firstboot, if it exists Start the System Resource Controller Start the cron daemon Startup communication daemon processes (nfsd, biod, ypserv, and so forth) Startup spooling subsystem Startup CDE desktop Line ignored by init Process started only one time
Checkpoint
1. From where is rc.boot 3 run? __________________________________________________ _ 3. Your system stops booting with LED 557: In which rc.boot phase does the system stop? _________ What are some reasons for this problem?
_____________________________________________ _____________________________________________ _____________________________________________
4. Which ODM file is used by the cfgmgr during boot to configure the devices in the correct sequence? _____________________ What does the line init:2:initdefault: in /etc/inittab mean?
___________________________________________________ ___________________________________________________ Copyright IBM Corporation 2005
Checkpoint Solutions
1. From where is rc.boot 3 run? From the /etc/inittab file in rootvg 3. Your system stops booting with LED 557: In which rc.boot phase does the system stop? rc.boot 2 What are some reasons for this problem?
Corrupted BLV Corrupted JFS log Damaged file system
Which ODM file is used by the cfgmgr during boot to configure the devices in the correct sequence? Config_Rules What does the line init:2:initdefault: in /etc/inittab mean?
This line is used by the init process, to determine the initial run level (2=multiuser).
Unit Summary
After the boot image is loaded into RAM, the rc.boot script is executed three times to configure the system During rc.boot 1, devices to varyon the rootvg are configured During rc.boot 2, the rootvg is varied on In rc.boot 3, the remaining devices are configured Processes defined in /etc/inittab file are initiated by the init process
Copyright IBM Corporation 2007 Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
5.1
Unit Objectives
After completing this unit, you should be able to:
Explain where LVM information is stored Solve ODM-related LVM problems Set up mirroring appropriate to your needs Describe the quorum mechanism Explain the physical volume states used by the LVM
LVM Terms
Physical Partitions Logical Partitions
Physical Volumes
Logical Volume
Volume Group
Copyright IBM Corporation 2007
mkvg
-t
chvg -t
Mirroring
Physical Partitions
Logical Partitions
write(data);
Application
Striping
1 4 7 Stripe Units hdisk0 2 5 8 hdisk1 3 6 9 hdisk2 LP3 LP2 LP1 1 2 3 4 5 6 7 8 9
Stream of data
Copyright IBM Corporation 2007
Group of disks
Striping
Mirroring
LVM Identifiers
Goal: Unique worldwide identifiers for Volume groups Hard disks Logical volumes
# lsvg rootvg ... VG IDENTIFIER: 00c35ba000004c00000001157f54bf78 # lspv hdisk0 ... 00c35ba07b2e24f0 rootvg active
# lslv hd4 LOGICAL VOLUME: hd4 VOLUME GROUP: rootvg LV IDENTIFIER: 00c35ba000004c00000001157f54bf78.4 ... ... # uname -m 00C35BA04C00
Copyright IBM Corporation 2007
VGID.minor number
LVM Data on Disk Control Blocks Volume Group Descriptor Area (VGDA)
Most important data structure of LVM Global to the volume group (same on each disk) One or two copies per disk
AIX Files
/etc/vg/vgVGID /dev/hdiskX /dev/VGname /dev/LVname /etc/filesystems Handle to the VGDA copy in memory Special file for a disk Special file for administrative access to a VG Special file for a logical volume Used by the mount command to associate LV name, file system log, and mount point
VGDA Example
# lqueryvg -p hdisk1 -At
Max LVs: PP Size: Free PPs: LV count: PV count: Total VGDAs: MAX PPs per PV: MAX PVs: 256 20 12216 3 1 2 32768 1024
5: ____________
lv00 1 lv01 lv02 0 1 1
6: ____________
7: ____________
Copyright IBM Corporation 2007
ODM
/etc/filesystems Match IDs by name
Update exportvg
...
Copyright IBM Corporation 2007
06:56
/dev/hd2
High-Level Commands
- Signal Handler - Lock
ODM
1.
What can cause problems ? kill -9, shutdown, system crash Improper use of low-level commands Hardware changes without or with wrong software actions Full root file system
Copyright IBM Corporation 2007
# varyoffvg homevg # exportvg homevg # importvg -y homevg hdiskX Import volume group and create new ODM objects Remove complete volume group from the ODM
Mirroring
hdisk0
Logical Partitions
hdisk1 hdisk2
Mirrored Logical Volume
VGSA
LP: 5
PP1: hdisk0, 5
PP2: hdisk1, 8
PP3: hdisk2, 9
Stale Partitions
hdisk0
Mirrored Logical Volume
hdisk1 hdisk2
Stale partition
After repair of hdisk2: varyonvg VGName (calls syncvg -v VGName) Only stale partitions are updated
Copyright IBM Corporation 2007
Type or select values in entry fields. Press Enter AFTER making all desired changes. [TOP] Logical volume NAME VOLUME GROUP name Number of LOGICAL PARTITIONS PHYSICAL VOLUME names Logical Volume TYPE POSITION on physical volume RANGE of physical volumes MAXIMUM NUMBER of PHYSICAL VOLUMES to use for allocation Number of COPIES of each logical partition Mirror Write Consistency? Allocate each logical partition copy on a SEPARATE physical volume? ... SCHEDULING POLICY for reading/writing logical partition copies
Copyright IBM Corporation 2007
[Entry Fields] [lv01] rootvg [50] [hdisk2 hdisk4] [] edge minimum [] [2] active yes parallel
2.
hdisk1
3 ms scsi1 8 ms scsi2
write()
3.
hdisk2
Second physical write operation is not started unless the first has completed successfully In case of a total disk failure, there is always a "good copy" Increases availability, but decreases performance In this example, the write operation takes 12 ms (1 + 3 + 8)
Copyright IBM Corporation 2007
1 ms
hdisk1
scsi0
3 ms
hdisk2
scsi1
8 ms
scsi2
Write operations for physical partitions start at the same time: When the longest write (8 ms) finishes, the write operation is complete Improves performance (especially READ performance)
Copyright IBM Corporation 2007
Parallel scheduling policy and ... ... system crashes before the writes to all mirrors have been completed Mirrors of the logical volume are in an inconsistent state
MWC information used to make logical partitions consistent again after reboot Active MWC uses separate area of each disk (outer edge area) Try to place logical volumes that use active MWC in the outer edge area
Logical volume NAME NEW TOTAL number of logical partition copies PHYSICAL VOLUME names POSITION on physical volume RANGE of physical volumes MAXIMUM NUMBER of PHYSICAL VOLUMES to use for allocation Allocate each logical partition copy on a SEPARATE physical volume? File containing ALLOCATION MAP SYNCHRONIZE the data in the new logical partition copies?
Copyright IBM Corporation 2007
Mirroring rootvg
hd9var hd8 hd5 ... hd1 hdisk0 mirrorvg hd9var hd8 hd5 ... hd1 hdisk1
1. 2. 3. 4.
5. 6. 7. 8.
Make a copy of all rootvg LVs using mirrorvg and place copies on the second disk Execute bosboot and change your bootlist
Copyright IBM Corporation 2007
VOLUME GROUP name Mirror sync mode PHYSICAL VOLUME names Number of COPIES of each logical partition Keep Quorum Checking On? Create Exact LV Mapping?
VGDA Count
Two-disk Volume Group
Loss of PV1: Only 33% VGDAs available (No quorum) Loss of PV2: 66% of VGDAs available (Quorum)
PV1
PV2
PV1
PV2
PV3
VG act iv
# varyonvg datavg
FAILS !!!
Nonquorum Volume Groups With single mirroring, always disable the quorum:
chvg -Qn datavg varyoffvg datavg varyonvg datavg
Turning off the quorum checking does not allow a normal varyonvg without a quorum It does prevents closing of the volume group when quorum is lost
Copyright IBM Corporation 2007
datavg
Two VGDAs
oved" "rem
# varyonvg datavg FAILS !!! (even when quorum disabled) Check the reason for the failure (cable, adapter, power), before doing the following ... # varyonvg -f datavg Failure accessing hdisk1. Set PV STATE to removed. Volume group datavg is varied on.
active
Qu los oru t? m
missing
Hardware Repair
missing
varyonvg -f VGName
removed
Checkpoint
1. (True or False) All LVM information is stored in the ODM. 2. (True or False) You detect that a physical volume hdisk1 that is contained in your rootvg is missing in the ODM. This problem can be fixed by exporting and importing the rootvg. 3. (True or False) The LVM supports RAID-5 without separate hardware.
Checkpoint Solutions
(True or False) All LVM information is stored in the ODM. False. Information is also stored in other AIX files and in disk control blocks (like the VGDA and LVCB). (True or False) You detect that a physical volume hdisk1 that is contained in your rootvg is missing in the ODM. This problem can be fixed by exporting and importing the rootvg. False. Use the rvgrecover script instead. This script creates a complete set of new rootvg ODM entries. (True or False) The LVM supports RAID-5 without separate hardware. False. LVM supports RAID-0, RAID-1, and RAID-10 without additional hardware.
Unit Summary
The LVM information is held in a number of different places
on the disk, including the ODM and the VGDA ODM related problems can be solved by:
exportvg/importvg (non-rootvg VGs) rvgrecover (rootvg)
Welcome to:
Copyright IBM Corporation 2005 Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
3.3
Unit Objectives
After completing this unit, you should be able to: Replace a disk under different circumstances Recover from a total volume group failure Rectify problems caused by incorrect actions that have been taken to change disks Export and import volume groups
Disk mirrored?
Procedure 1
No
Disk still working?
Yes
Procedure 2
No
Volume group lost?
No
Procedure 3
rootvg
Yes
Not rootvg
Procedure 4
Procedure 5
Copyright IBM Corporation 2005
Mirrored
(*) : Is the disk in rootvg? See next visual for further considerations!
Copyright IBM Corporation 2005
1. Connect new disk to system 3. Add new disk to volume group 5. 7. Remove old disk from volume group 9. Remove old disk from ODM
# # # #
migratepv -l hd5 hdiskX hdiskY bosboot -ad /dev/hdiskY chpv -c hdiskX bootlist -m normal hdiskY
4 5
Copyright IBM Corporation 2005
Volume group
hdiskX hdiskY
# lspv hdiskY ... PV STATE: removed # lspv hdiskY ... PV STATE: missing
4. Boot in maintenance mode 6. Restore from a mksysb tape 8. Import each volume group into the new ODM (importvg) if needed
datavg rootvg
hdiskX hdiskY
hdiskZ
mksysb
Copyright IBM Corporation 2005
9. Connect new disk. 11. If volume group backup is available (savevg): # restvg -f /dev/rmt0 hdiskY If no volume group backup is available: Recreate ...
hdiskY
Tape
- Volume group (mkvg) - Logical volumes and file systems (mklv, crfs) Restore data from a backup:
# restore -rqvf /dev/rmt0
rootvg - Migration
hdiskY hdiskX
Boot problems after migration: Firmware LED codes cycle or boots to SMS multiboot menu Fix: Check bootlist (SMS menu) Check bootlist (bootlist) Re-create boot logical volume (bosboot)
Copyright IBM Corporation 2005
hdisk4
hdisk5
ODM:
hdisk5 is removed from ODM and from the system, but not from the volume group: # rmdev -l hdisk5 -d
Copyright IBM Corporation 2005
CuAt: name = "hdisk4" attribute = "pvid" value = "...221..." ... CuAt: name = "hdisk5" attribute = "pvid" value = "...555..." ...
datavg
PVID: ...221...
hdisk4
!!!
Analyze failure !
No
rvgrecover
Copyright IBM Corporation 2005
To export a volume group: 3. Unmount all file systems from the volume group:
# umount /dev/lv10 # umount /dev/lv11
myvg
mars
lv10 lv11 loglv 01
hdisk3
myvg
Copyright IBM Corporation 2005
hdisk3
myvg
lv10 lv11 loglv 01
datavg
importvg can also accept the PVID in place of the hdisk name
Copyright IBM Corporation 2005
# importvg -y myvg hdisk3 Warning: mount point /home/michael already exists in /etc/filesystems # umount /home/michael # mount -o log=/dev/loglv01 /dev/lv24 /home/michael
datavg
/home/michael_moon: dev = /dev/lv24 vfs = jfs log = /dev/loglv01 mount = false options = rw account = false # mount # mount /home/michael /home/michael_moon
hdisk3 (myvg)
importvg -L (1 of 2)
moon
No exportvg !!!
lv1 0 lv11 loglv01
hdisk9
myvg mars
# importvg -y myvg hdisk3 # mklv lv99 myvg
lv10 lv11 lo gl v0 lv99 1
hdisk3
myvg
Copyright IBM Corporation 2005
importvg -L (2 of 2)
moon
lv10 lv11 loglv 01
hdisk9
myvg
"Learn about possible changes!"
# importvg -L myvg hdisk9 # varyonvg myvg ==> importvg -L fails if a name clash is detected
Copyright IBM Corporation 2005
Checkpoint
1. Although everything seems to be working fine, you detect error log entries for disk hdisk0 in your rootvg. The disk is not mirrored to another disk. You decide to replace this disk. Which procedure would you use to migrate this disk? __________________________________________________ __________________________________________________ 5. You detect an unrecoverable disk failure in volume group datavg. This volume group consists of two disks that are completely mirrored. Because of the disk failure you are not able to vary on datavg. How do you recover from this situation? __________________________________________________ __________________________________________________ 8. After disk replacement you recognize that a disk has been removed from the system but not from the volume group. How do you fix this problem? __________________________________________________ __________________________________________________
Copyright IBM Corporation 2005
Checkpoint Solutions
1. Although everything seems to be working fine, you detect error log entries for disk hdisk0 in your rootvg. The disk is not mirrored to another disk. You decide to replace this disk. Which procedure would you use to migrate this disk?
Procedure 2: Disk still working. There are some additional steps necessary for hd5 and the primary dump device hd6.
3. You detect an unrecoverable disk failure in volume group datavg. This volume group consists of two disks that are completely mirrored. Because of the disk failure you are not able to vary on datavg. How do you recover from this situation?
Forced varyon: varyonvg -f datavg. Use Procedure 1 for mirrored disks.
4. After disk replacement you recognize that a disk has been removed from the system but not from the volume group. How do you fix this problem?
Use PVID instead of disk name: reducevg vg_name PVID
Copyright IBM Corporation 2005
Unit Summary
Different procedures are available that can be used to fix disk problems under any circumstance: Procedure 1: Mirrored disk Procedure 2: Disk still working (rootvg specials) Procedure 3: Total disk failure Procedure 4: Total rootvg failure Procedure 5: Total non-rootvg failure exportvg and importvg can be used to easily transfer volume groups between systems
Copyright IBM Corporation 2005
Welcome to:
Copyright IBM Corporation 2005 Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
3.3
Unit Objectives
After completing this unit, you should be able to: Provide basic performance concepts Provide basic performance analysis Manage the workload on a system Use the Performance Diagnostic Tool (PDT)
Performance Problems
What a fast machine!
Identify critical applications and processes: What is the system doing? What happens under the covers (for example, NFS-mounts)?
CPU
Memory
Disk
Network
sar -u
yes
High CPU % no Check memory High paging yes Balance disk Possible memory constraint
vmstat
no
iostat
Check disk Disk balanced yes Possible disk/SCSI constraint
no
tprof
c
Memory Bottlenecks Processes using memory svmon
AUS
es
I/O Bottlenecks File systems, LVs, and files causing disk activity
filemon
Copyright IBM Corporation 2005
Nice value
The smaller the PRI value, the higher the priority of the process. The average process runs a priority around 60. The NI value is used to adjust the process priority. The higher the nice value is, the lower the priority of the process.
Copyright IBM Corporation 2005
Number
System configuration: lcpu=2 08:24:10 08:25:10 08:26:10 08:27:10 ... Average %usr 48 63 59 57 %sys 52 37 41 43 %wio 0 0 0 0 %idle 0 0 0 0
===== ====== ==== ====== ===== 100.00 92.91 3.06 4.03 0.00 Samples = 24316 Total Elapsed Time = 121.59s
Copyright IBM Corporation 2005
1 7 81 167 95 216 0 0 0 0
pi, po: Paging space page ins and outs If any paging space I/O is taking place, the workload is approaching the system's memory limit
wa: I/O wait percentage of CPU If non-zero, a significant amount of time is being spent waiting on file I/O
# svmon -Pt 3 Pid 14624 ... 9292 ... 3596 ... Command java httpd X Inuse 6739 6307 6035
Top 3 users of memory Pin 1147 1154 1147 Pgsp 425 205 1069 Virtual 4288 3585 4252
64-bit N N N
Mthrd Y Y N
Lpage N N N
Kb_read Kb_wrtn 456 0 0 %sys %idle 58.0 0.0 8 0 0 %iowait 35.5 physc 0.0 %entc 1.3
topas
# topas Topas Monitor for host: Mon Aug 9 11:48:35 2005 kca81 Interval: 2 Kernel User Wait Idle Physc = Network en0 lo0 iostat info Disk hdisk0 hdisk1 0.1 0.0 0.0 99.8 0.00 KBPS 0.1 0.0 Busy% 0.0 0.0 | | | | | | |############################| %Entc= 1.5 I-Pack 0.4 0.0 KBPS 0.0 0.0 O-Pack 0.4 0.0 KB-In 0.0 0.0 KB-Out 0.1 0.0 EVENTS/QUEUES Cswitch 370 Syscall 461 Reads 18 Writes 0 Forks 0 Execs 0 Runqueue 0.0 Waitqueue 0.0 PAGING Faults Steals PgspIn PgspOut PageIn PageOut Sios FILE/TTY Readch Writech Rawin Ttyout Igets Namei Dirblk 11800 95 0 0 0 1 0
CPU info
1 0 0 0 0 0 0
PID CPU% PgSp Owner 18694 0.1 1.4 root 10594 0.0 2.0 root 15238 0.0 0.0 root 3482 0.0 1.3 root 2580 0.0 0.0 root
PAGING SPACE Size,MB 3744 % Used 0.6 % Free 99.3 WPAR Activ 0 WPAR Total 0 Press: "h" for help q" for quit
vmstat info
Our system is now memory bound! Let's buy more memory!!! # vmstat 5
# echo "/usr/local/bin/report" | at 0300 # echo "/usr/bin/cleanup" | at 1100 friday # crontab -e 0 3 * * 1-5 /usr/local/bin/report
minute
weekday
command
Queue is down Jobs will be queued Queue is up: Jobs will be executed sequentially
Copyright IBM Corporation 2005
NI 35
... ...
TIME 0:01
CMD backup_all
C PRI 78
NI 25
... ...
TIME 0:02
CMD backup_all
0 3860 2820 26
Working with ps, nice, and renice Basic performance analysis Working with a Korn shell job queue
PDT
Error-free Operation
Enabling PDT
# /usr/sbin/perf/diag_tool/pdt_config
-----------PDT customization menu---------- show current PDT report recipient and severity level modify/enable PDT reporting disable PDT reporting modify/enable PDT collection disable PDT collection de-install PDT exit pdt_config Please enter a number: 4
PDT Files
Collection
Driver_ daily /var/perf/cfg/diag_tool/.collection.control
Retention
Driver_ offweekly /var/perf/cfg/diag_tool/.retention.control
Reporting
/var/perf/tmp/.SM
/var/perf/tmp/.SM.last
35 days .retention.list
/var/perf/tmp/.SM.discards
DISK_STORAGE_BALANCE 800 PAGING_SPACE_BALANCE 4 NUMBER_OF_BALANCE 1 MIN_UTIL 3 FS_UTIL_LIMIT 90 MEMORY_FACTOR .9 TREND_THRESHOLD .01 EVENT_HORIZON 30
Systems to monitor
Checkpoint
1. What commands can be executed to identify CPU-intensive programs?
What command can be executed to start processes with a lower priority? ________
5. What command can you use to check paging I/O? _______ 7. True or False? The higher the PRI value, the higher the priority of a process.
Checkpoint Solutions
1. What commands can be executed to identify CPU-intensive programs?
ps aux tprof
3. What command can be executed to start processes with a lower priority? nice 5. What command can you use to check paging I/O? vmstat True or False? The higher the PRI value, the higher the priority of a process.
Use the Performance Diagnostic Tool to: Capture data Create reports
Unit Summary
The following commands can be used to identify potential bottlenecks in the system: ps sar vmstat iostat If you cannot fix a performance problem, manage your workload through other means (at, crontab, nice, renice). Use the Performance Diagnostic tool (PDT) to assess and control your systems performance.
Copyright IBM Corporation 2005
Welcome to:
Security
Copyright IBM Corporation 2005 Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
3.3
Unit Objectives
After completing this unit, you should be able to: Provide authentication procedures Specify extended file permissions Configure the Trusted Computing Base (TCB) Compare AIX 6.1 Trusted Environment to TCB
Physical Security
Login Passwords
Unattended session Trojan horse
Shell
Restricted shell Execution of unauthorized programs
Copyright IBM Corporation 2005
- or -
PATH=.:/usr/bin:/etc:/usr/sbin:/sbin ???
PATH=.:/usr/bin:/etc:/usr/sbin:/sbin
# cd /home/hacker # ls -i
Copyright IBM Corporation 2005
PATH=.:/usr/bin:/etc:/usr/sbin:/sb in
When using as root user, never specify the working directory in the PATH variable!
Copyright IBM Corporation 2005
*Restricted Access*
Authorized Users Only
Login:____
michael cannot: Change the current directory Change the PATH variable Use command names containing slashes Redirect standard output (>, >>)
Copyright IBM Corporation 2005
Customized Authentication
# vi /etc/security/login.cfg
* Authentication Methods secondPassword: program = /usr/local/bin/getSecondPassword
# vi /etc/security/user
michael: auth1 = SYSTEM,secondPassword
Authentication Methods (1 of 2)
# vi /usr/local/bin/getSecondPassword
print "Please enter the second Password: " stty -echo read PASSWORD stty echo # No input visible
Login
Invalid Login
Authentication Methods (2 of 2)
# vi /usr/local/bin/limitLogins
#!/usr/bin/ksh # Limit login to one session per user USER=$1 # User name is first argument
# How often is the user logged in? COUNT=$(who | grep "^$USER" | wc -l) # User already logged in? if [[ $COUNT -ge 1 ]]; then errlogger "$1 tried more than 1 login" print "Only one login is allowed" exit 128 fi exit 0 # Return 0 for correct authentication
Copyright IBM Corporation 2005
Two-Key Authentication
# vi /etc/security/user boss: auth1 = SYSTEM;deputy1,SYSTEM;deputy2
Base Permissions
salaries owner = silva group = staff Base permissions= rwx------
others: nothing group: nothing owner: rwx How can silva easily give simon read access to the file salaries?
Copyright IBM Corporation 2005
ACL Commands
# aclget file1 Display base/extended permissions Copy an access control list # aclget status99 | aclput report99 # acledit salaries2
chmod in the octal format disables ACLs Only the backup command by default saves ACLs tar and cpio will back up ACLs if the flag U is used acledit requires the EDITOR variable (full pathname of an AIX editor)
Copyright IBM Corporation 2005
security
...
/etc/passwd
...
/usr/bin/be_happy
TCB Components
tcbck / etc
sysck.cfg
/etc/passwd: owner = root mode = 644 ...
rw-r--r-- /etc/passwd
Security Model
Copyright IBM Corporation 2005
Reality
# tcbck -t /etc/passwd The file /etc/passwd has the wrong file mode Change mode for /etc/passwd ? (yes, no ) yes # ls -l /etc/passwd -rw-r--r-1 root # ls -l /tmp/.4711 -rwsr-xr-x 1 security ... /etc/passwd
root
system ...
/tmp/.4711
# tcbck -t tree The file /tmp/.4711 is an unregistered set-UID program. Clear the illegal mode for /tmp/.4711 (yes, no) yes # ls -l /tmp/.4711 -rwxr-xr-x 1 root system ... /tmp/.4711
<what> can be: a filename (for example /etc/passwd) a classname: A logical group of files defined by class = name entries in sysck.cfg tree: Check all files in the filesystem tree ALL: Check all files listed in sysck.cfg
Copyright IBM Corporation 2005
# tcbck -t salary
# tcbck -d /etc/cvid
# tcbck -n salary The file /salary/salary.dat has the wrong TCB attribute value # chtcb on /salary/salary.dat # ls -le /salary/salary.dat -rw-rw----+ root salary salary.dat
...
Paranoid Use Store the sysck.cfg file offline and restore it periodically to check out the system
AIX Version 5 (C) Copyrights by IBM and by others 1982, 2004 login:
Previous login prompt was from a Trojan horse. To establish a secure environment: # <CTRL-x><CTRL-r> tsh> Ensures that no untrusted programs will be run with root authority.
Copyright IBM Corporation 2005
Comparing TCB to TE
Trusted Computing Base Configure at BOS installation Trusted Execution Environment Install/configure anytime: clic.rte.* filesets # /usr/lib/methods/loadkclic Trusted Signature Database: /etc/security/tsd/tsd.dat certified hashes database can be locked Uses trustchk to manage: add/delete entries audit with reports and fixes can enable run-time checking Trusted Execution Path: Trusted Shell and SAK supported also has trusted directories Trusted Library Path: dynamic links can be restricted to trusted libraries
Copyright IBM Corporation 2005
Uses tcbchk to manage: add/delete entries audit with reports and/or fixes Trusted Communications Path: Trusted Shell and SAK
Checkpoint (1 of 2)
(True or False) Any programs specified as auth1 must return a zero in order for the user to log in.
Using AIXC ACLs, how would you specify that all members of the security group had rwx access to a particular file except for john? _______________________________________ _______________________________________ _______________________________________ _______________________________________ 4. Which file would you edit to modify the ASCII login prompt? __________________________________________ 6. Name the two modes that tcbck supports. ___________________________________________
Copyright IBM Corporation 2005
Checkpoint Solutions (1 of 2)
(True or False) Any programs specified as auth1 must return a zero in order for the user to log in.
Using AIXC ACLs, how would you specify that all members of the security group had rwx access to a particular file except for john? extended permissions enabled permit rwx g:security deny rwx u:john 4. Which file would you edit to modify the ASCII login prompt? /etc/security/login.cfg 6. Name the two modes that tcbck supports. check mode and update mode
Copyright IBM Corporation 2005
Checkpoint (2 of 2)
1. When you execute <ctrl-x ctrl-r> at a login prompt and you obtain the tsh prompt, what does that indicate? ____________________________________________ ____________________________________________ (True or False) The system administrator must manually mark commands as trusted, which will automatically add the command to the sysck.cfg file.
7. (True or False) When the tcbck -p tree command is executed, all errors are reported and you get a prompt asking if the error should be fixed.
Checkpoint Solutions (2 of 2)
1. When you execute <ctrl-x ctrl-r> at a login prompt and you obtain the tsh prompt, what does that indicate? It indicates that someone is running a fake getty program (a Trojan horse) on that terminal. (True or False) The system administrator must manually mark commands as trusted, which will automatically add the command to the sysck.cfg file. False. The system administrator must add the commands to sysck.cfg using the tcbck -a command. (True or False) When the tcbck -p tree command is executed, all errors are reported and you get a prompt asking if the error should be fixed. False. The -p option specifies fixing and no reporting. (This is a very dangerous option.)
Unit Summary
The authentication process in AIX can be customized by authentication methods. Access control lists (ACLs) allow a more granular definition of file access modes. The Trusted Computing Base (TCB) is responsible for enforcing the security policies on a system.